On Friday, September 5, 2003, at 09:06 AM, Thimo K�nig wrote:
Hi,
my question is probably offtopic: We would like to use OJB with Hsqldb for an offline client application. Because data needs to be persistent we have to use "disk" mode for Hsqldb. As far as I understood until now this means the data is stored as CREATE and INSERT statements in an ASCII file.
Anyone may open the file with an editor of his choice and view/change data. Is there a way to deny direct access to the file? What are the User/Pwd in OJB/JDBC Connection for if anyone can access this file directly?
They are the user and password for connecting to the database - not the system user and password (hence the 'sa' user and no password for HSQLDB by default). HSQLDB does support different users (I think), but the files must be rw to the person starting the process that launches HSQLDB.
If it is for offline access, ie on someone's workstation, I don't think there is a way to prevent access to the data (they own the file, they can do what they want). If you can control the execution environment, one option is to run HSQLDB in standalone mode with a dedicated user (in *nix this is pretty easy, I cannot imagine it is much more difficult on WIndows).
If you face the first problem, a technical hack exists to make sure it is unmodified by external processes: take an md5 of the database files before the database is started and shutdown, and compare appropriately. I don't think I would *like* this solution. Similarly, preventing casual mangling can be done by encrypting the database files, but anyone with the bytecode and a hex editor, or who figures out they can start the app, munge the database, and quit the app, can have free reign. It will stop less sophisticated users at least.
-Brian
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
