5 Replies Latest reply on Apr 6, 2004 9:21 AM by martin0

    userid/password for CMP

    michael lee Newbie

      Hi,

      I have successfully deployed CMP entity bean using hardcoded userid and password in database connection setup. (in my case, it is sybase-service.xml). I have set security control on the ejb-jar.xml so that only user with specified role can access and manipulate the bean. Every thing seems okay.

      However, i would like to know whether the user id and password can be stored in somewhere else (other than the -ds.xml).

      Why?

      I would like to prevent an developer from developing a program which use JNDI look up for the database connection and then access the data using JDBC call. (for example, if the CMP entity bean is used to store something related to salary, i don't want anyone bypass the role checking built-in for the EJB)

      Regards,
      Michael


        • 1. Re: userid/password for CMP
          martin0 Novice

          Michael,

          I believe you can specify the security-realm login access to the database.

          See http://www.jboss.org/index.html?module=bb&op=viewtopic&t=45111

          Martin

          • 2. Re: userid/password for CMP
            michael lee Newbie

            Martin,

            Thanks for your information.

            Using the proposed method, the database password can be encrypted and not readable in the config file. However, by using JNDI lookup for the datasource, then call getConnection using the return datasource, a connection will be created to access the database even though the password is unknown. Is this correct?

            Is it possible to specify connection information in say jbosscmp-jdbc.xml?

            Regards,
            Michael

            • 3. Re: userid/password for CMP
              martin0 Novice

              They can only do that if they can deploy it in the relevant security domain (I believe).

              Bottom line is they can use a command line SQL tool to access the database. Sounds like the security you need belongs in the database too.

              Also if they have access to the deployment descriptors, they can just change the method-permission.

              Sounds like you need to restrict access to the production server and have the application deployer be a trusted member of staff.

              I'm interested to see what outcome you have.

              Martin

              • 4. Re: userid/password for CMP
                michael lee Newbie

                Actually, i am new to J2EE Application server and just develop a simple application. What i am thinking is:

                In the development environment, jmx-console is not protected and each programmer can use the JNDIViewer to obtain the JNDI name defined for the datasource. Afterward, a simple JSP may be developed and then deployed (thru formal procedure since the boss do not know what the JSP is all about) to production server. If production environment is the same as testing (respect to JNDI naming), the JSP can be used to access restricted information.

                On the other hand, deployment descriptor for production server may not be so easily accessible.

                Any suggestion?

                Regards,
                Michael

                • 5. Re: userid/password for CMP
                  martin0 Novice

                  1) The jmx-console web app should be secured like any other web app

                  I'll think about other things later.

                  Martin