Sorry, if I have it configured for CMP one just can access the database using JDBC if he knows user and password, so it´s not a problem.
But the problem persists because one can access the datasource using a BMP bean (it´s just do a lookup and get the DS).
Assuming I'm getting you straight, why do you want to use both app-server and database level security? This will prevent you from sharing connections between different users and you'll lose the benefits of having pooled connections.
There is a method on the DataSource interface which takes a username and password, so you could use this, mapping the information from your J2EE users to your database users as you see fit.
I don't understand what you are trying to do, there are many possibilities consistent with your description. However, I suggest you look into using the CallerIdentityLoginModule.
Luke: This is my scenario: if I only use app-server level security, a user can use JDBC to have access to another user´s database if she has the db´s URL. If I only have db level security, a user can access other user´s datasource if she has the JNDI name of this DS. So I have to have both security levels.
David: It was exactly what I was looking for.
Thank you both for the help.