Hello Mr. Scott Stark
I am new to Jboss security schemas, and I have read several guides that come along with JBoss and EJB3.
As far as I´ve read I understand that the Jboss Security Schema is appart from the persistence database schema itself, that is to say, we know database engines like Oracle and Sql Server (the ones I have currently in use), they have their own security schema where they allow the dba define users, passwords and roles.
My question is, whether there is a way to, kind of, bind the database´s own secutiry schema to the Jboss application, such that users and passwords form the very DB can be used and users can authenticate with them.
I would like you to show me How it could be done on the loging pagaes, web page, the servlet and the session and entity beans (EJB3 of course).
On the other hand, when I defined the -ds.xml descriptor to configure the oracle / sql server conection for the appl, I included the password component in it, as shown in the next fragment of code:
<datasources> <xa-datasource> <jndi-name>CellDomDS</jndi-name> <track-connection-by-tx>true</track-connection-by-tx> <isSameRM-override-value>false</isSameRM-override-value> <xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class> <xa-datasource-property name="URL">jdbc:oracle:thin:@localhost:1521:orcl</xa-datasource-property> <xa-datasource-property name="User">CellDom</xa-datasource-property> <xa-datasource-property name="Password">Admin</xa-datasource-property> <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name> <!-- Oracles XA datasource cannot reuse a connection outside a transaction once enlisted in a global transaction and vice-versa --> <no-tx-separate-pools/> <!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) --> <metadata> <type-mapping>Oracle9i</type-mapping> </metadata> </xa-datasource>.
My issue concerning this is, Is there a way to avoid showing a Password in this configuration in order to avoid possible security breaks. (something like tell the Appl Server to ask for this password instead of including it as part of the persistence configuration).
The fact is as of yet I am developing two applications, one using Oracle 10g as persistence domain and the other using SqlServer 2000 as persistence Domain, and I need to let users for both appls, to login using ther users/passwords they were assigned in the corresponding Databases.
Thank you in advance.
Alvaro E Martinez