Hi,
I think is as much a security threat to let users pass *real* database
passwords via http posts or basic http authentication.
It is also technically difficult or useless to have a database pool that
is meant to both reuse connections and to
keep individual connections for each logged-in user.
It is simpler in this case to keep one opened database connection
(user specific) within HttpSession:
---------------------------------
Connection myConnection = (Connection)
mySession.getValue("myConnection");
if (myConnection == null) {
myConnection = ... open connection with current session user/password
mySession.putValue("myConnection", myConnection);
// here an HttpSessionBindingListener to close the connection
// when session expires is necessary..
}
--------------------------------
On Thu, 25 Mar 1999, Thomas
Moore wrote: (a part of it)
> b) Any client can request a connection, ...
It can not. The servlet requests the connection, wich is by our side
(good guys) not theirs.
A servlet does its own specific task, there is no
means for a malicious http client to say "now that you obtained an
connection pass it on to me"
> I'm
> totally not convinced that the speed gain here is worth that kind of
> risk... All IMHO, of course...
You-re right. Everyone compromises betwen performance, security, and
costs. Some wont buy 1000's users RDBMS licenses just to publish "live"
data, others will.
If the application is used in intranet (known number of users and their
identity) makes sense to let users authenticate themselves against database.
If the code is a public web-app-to-outside-public makes sense
to use a database pool with configurable connection parameters,
without frozing them in .class files (and safer than to add valid RDBMS
accounts for each anonymously-registered user)
> or even less-than-competent programmer could use to blow away your data.
He will blow it anyway. In real-world apps is little room for things like
"harmless user privilleges".
Cezar Totth email: [EMAIL PROTECTED]
Fax: (401) 220 33 95
Genesys Software Romania Phone: (401) 638 49 44
Stefan Furtuna 169, sect.6
cod 77171, Bucharest
Romania
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
