I'm not sure what you mean by 'app server'. I have JRun 3.0 servlet engine
connected to IIS 5.0 running on Win 2000 Adv Server. Web browser will be IE
(at least 4.0).
It has been suggested that I used https connection to get password and
userid and then store in session variable for use in database connection
string. I am currently researching session variables.
I don't have a lot of servlet or web development experience. It seems there
is a debate going on now as to how SingleThreadModel actually works. I don't
know who is right or wrong.
Bottom line is I'm looking for a simple solution to provide secure database
query using user password and userid's in servlets. My fear is some clever
hacker will beat my security and view proprietary data. I am grateful for
any advice from the experts on this list.
> -----Original Message-----
> From: A mailing list for discussion about Sun Microsystem's Java Servlet
> API Technology. [mailto:[EMAIL PROTECTED]]On Behalf Of T A
> Flores
> Sent: Saturday, November 04, 2000 7:45 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Servlet-Database security
>
>
> First of all what app server will you be using?
>
> Second of all I don't think Single Thread will be your solution, please
> see the archives on that discussion.
>
> You could possibly store in session, depending on how secure you want
> this, some indicator.
>
>
> ----- Original Message -----
> From: Stephen Casey <[EMAIL PROTECTED]>
> Date: Friday, November 3, 2000 12:24 pm
> Subject: Servlet-Database security
>
> > I'm tired of looking through the archives. Sorry, if this has been
> > discussedbut, I can't find exactly what I'm looking for in there.
> >
> > Up until now all of my servlets have accessed 'public' data in our
> > databaseusing a userid and password hard coded in the servlet
> > database connection. At
> > this point I need to write an application that accesses
> > 'proprietary' data.
> > Database connections will authenticate according to the user's
> > personal id and
> > password. I'm thinking I will implement a SingleThreadModel and
> > create the
> > database connection using SSL (https://). Will this protect the
> > data stream from
> > unauthorized 'eyes'? Will other instances of the servlet be able
> > to access the
> > connection?
> >
> > I don't want them to have to go through a logon screen for each
> > query so, I'm
> > thinking I can keep the connection open and pass it to whatever
> > classes the
> > servlet calls. If the connection remains idle for more than 5
> > minutes I will
> > close it. Again, will passing the connection allow unauthorized
> > access to data ?
> > Do I have to implement SingleThreadModel or serialize the
> > classes/connections in
> > all classes used by the calling servlet?
> >
> > Does anyone see any 'holes' in this approach? Can you suggest a
> > better strategy?
> >
> > Thanking you in advance,
> > Stephen
> >
> >
> ________________________________________________________________________
> ___
> > To unsubscribe, send email to [EMAIL PROTECTED] and include in
> > the body
> > of the message "signoff SERVLET-INTEREST".
> >
> > Archives: http:
> > Resources: http://java.sun.com/products/servlet/external-
> > resources.htmlLISTSERV Help:
> > http://www.lsoft.com/manuals/user/user.html
>
> __________________________________________________________________
> _________
> To unsubscribe, send email to [EMAIL PROTECTED] and include
> in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
