1 Reply Latest reply on Nov 15, 2005 10:37 AM by oglueck

    Datase Security Schema and JAAS

    Alvaro Martinez Newbie

      Hello Mr. Scott Stark

      I am new to Jboss security schemas, and I have read several guides that come along with JBoss and EJB3.

      As far as I´ve read I understand that the Jboss Security Schema is appart from the persistence database schema itself, that is to say, we know database engines like Oracle and Sql Server (the ones I have currently in use), they have their own security schema where they allow the dba define users, passwords and roles.

      My question is, whether there is a way to, kind of, bind the database´s own secutiry schema to the Jboss application, such that users and passwords form the very DB can be used and users can authenticate with them.

      I would like you to show me How it could be done on the loging pagaes, web page, the servlet and the session and entity beans (EJB3 of course).

      On the other hand, when I defined the -ds.xml descriptor to configure the oracle / sql server conection for the appl, I included the password component in it, as shown in the next fragment of code:

      <datasources>
       <xa-datasource>
       <jndi-name>CellDomDS</jndi-name>
       <track-connection-by-tx>true</track-connection-by-tx>
       <isSameRM-override-value>false</isSameRM-override-value>
       <xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
       <xa-datasource-property name="URL">jdbc:oracle:thin:@localhost:1521:orcl</xa-datasource-property>
       <xa-datasource-property name="User">CellDom</xa-datasource-property>
       <xa-datasource-property name="Password">Admin</xa-datasource-property>
       <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
      
       <!-- Oracles XA datasource cannot reuse a connection outside a transaction once enlisted in a global transaction and vice-versa -->
       <no-tx-separate-pools/>
       <!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) -->
       <metadata>
       <type-mapping>Oracle9i</type-mapping>
       </metadata>
       </xa-datasource>
      
      
      .

      My issue concerning this is, Is there a way to avoid showing a Password in this configuration in order to avoid possible security breaks. (something like tell the Appl Server to ask for this password instead of including it as part of the persistence configuration).

      The fact is as of yet I am developing two applications, one using Oracle 10g as persistence domain and the other using SqlServer 2000 as persistence Domain, and I need to let users for both appls, to login using ther users/passwords they were assigned in the corresponding Databases.

      Thank you in advance.
      Alvaro E Martinez
      alvarommz@yahoo.com

        • 1. Re: Datase Security Schema and JAAS
          Novice

          What you want does not scale. You need to pool DB connections. This contradicts a per-user authentication with the DB. You can however write a JAAS login module that authenticates against the users of a DB. But in the backend you must use one single (technical) DB user for your application (DS) that performs all the work.

          DB user management as detailed as in products like Oracle is historic (client-server era) and if of no real use for distributed applications today. I mean those DBs even have stuff like stored procedures that enable you to actually write whole applications inside the DB (Oracle Portal as an example). Just because a feature exists that is not a reason to use it.