Hi Aliya,
the fact the on the App Server in the WEB-INF/conf/hibernate.properties is
contained the root password for the MySQL database is another weekness
point. With other databse the user used to aceess the database via JDBC is
different from the admin user and the user can access only its owb schema.
I am not sure as this can be and if can be implemented with MySQL
Best Regards
Roberto
Musso/Ireland/Con
tr/[EMAIL PROTECTED]
To
Sent by: Developer
mifos-developer-b <[EMAIL PROTECTED]
[EMAIL PROTECTED] net>
ceforge.net cc
"Developer"
<[EMAIL PROTECTED]
02/20/2008 08:26 net>,
AM [EMAIL PROTECTED]
eforge.net
Subject
Please respond to Re: [Mifos-developer] MySQL
Developer Security
<mifos-developer@
lists.sourceforge
.net>
Hi,
Security, other point to investigate:
jdbc connection user id and pwd (this can be secured using password
DIGEST)
session timeout (expose data )
put in fron of teh Application Server a reverse proxy (Apache 2.2.x)
(useful also for eventually load balancing)
LDAP use ? (open point not for 1.1 I think)
Tomcat REALM use ? (teh Memory REAL can be used straithward while JDBC
and JNDI REALM need a more study)
I am sure I forgot something
Best Regards
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
