Simplest solution is dump SingleThread in make use of Synchronized
blocks if they become necessary.
Choices are you can perform the the initial authentication through the
Server services.
>From Jason Hunter's Java Servlet Programming (O'Reilly) User
authentication can made available to a servlet through
request. getRemoteUser() attaches the authentication to the request
object. All that's left is tell the server which pages are protected.
----- Original Message -----
From: "Stephen B. Casey" <[EMAIL PROTECTED]>
Date: Saturday, November 4, 2000 10:21 am
Subject: Re: Servlet-Database security
> I'm not sure what you mean by 'app server'. I have JRun 3.0
> servlet engine
> connected to IIS 5.0 running on Win 2000 Adv Server. Web browser
> will be IE
> (at least 4.0).
>
> It has been suggested that I used https connection to get password and
> userid and then store in session variable for use in database
> connectionstring. I am currently researching session variables.
>
> I don't have a lot of servlet or web development experience. It
> seems there
> is a debate going on now as to how SingleThreadModel actually
> works. I don't
> know who is right or wrong.
>
> Bottom line is I'm looking for a simple solution to provide secure
> databasequery using user password and userid's in servlets. My
> fear is some clever
> hacker will beat my security and view proprietary data. I am
> grateful for
> any advice from the experts on this list.
>
> > -----Original Message-----
> > From: A mailing list for discussion about Sun Microsystem's Java
> Servlet> API Technology. [mailto:[EMAIL PROTECTED]]On
> Behalf Of T A
> > Flores
> > Sent: Saturday, November 04, 2000 7:45 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Servlet-Database security
> >
> >
> > First of all what app server will you be using?
> >
> > Second of all I don't think Single Thread will be your solution,
> please> see the archives on that discussion.
> >
> > You could possibly store in session, depending on how secure you
> want> this, some indicator.
> >
> >
> > ----- Original Message -----
> > From: Stephen Casey <[EMAIL PROTECTED]>
> > Date: Friday, November 3, 2000 12:24 pm
> > Subject: Servlet-Database security
> >
> > > I'm tired of looking through the archives. Sorry, if this has been
> > > discussedbut, I can't find exactly what I'm looking for in there.
> > >
> > > Up until now all of my servlets have accessed 'public' data in our
> > > databaseusing a userid and password hard coded in the servlet
> > > database connection. At
> > > this point I need to write an application that accesses
> > > 'proprietary' data.
> > > Database connections will authenticate according to the user's
> > > personal id and
> > > password. I'm thinking I will implement a SingleThreadModel and
> > > create the
> > > database connection using SSL (https://). Will this protect the
> > > data stream from
> > > unauthorized 'eyes'? Will other instances of the servlet be able
> > > to access the
> > > connection?
> > >
> > > I don't want them to have to go through a logon screen for each
> > > query so, I'm
> > > thinking I can keep the connection open and pass it to whatever
> > > classes the
> > > servlet calls. If the connection remains idle for more than 5
> > > minutes I will
> > > close it. Again, will passing the connection allow unauthorized
> > > access to data ?
> > > Do I have to implement SingleThreadModel or serialize the
> > > classes/connections in
> > > all classes used by the calling servlet?
> > >
> > > Does anyone see any 'holes' in this approach? Can you suggest a
> > > better strategy?
> > >
> > > Thanking you in advance,
> > > Stephen
> > >
> > >
> >
>
________________________________________________________________________
> ___
> > > To unsubscribe, send email to [EMAIL PROTECTED] and
> include in
> > > the body
> > > of the message "signoff SERVLET-INTEREST".
> > >
> > > Archives: http:
> > > Resources: http://java.sun.com/products/servlet/external-
> > > resources.htmlLISTSERV Help:
> > > http://www.lsoft.com/manuals/user/user.html
> >
> > __________________________________________________________________
> > _________
> > To unsubscribe, send email to [EMAIL PROTECTED] and include
> > in the body
> > of the message "signoff SERVLET-INTEREST".
> >
> > Archives: http:
> > Resources: http://java.sun.com/products/servlet/external-
> resources.html> LISTSERV Help:
> http://www.lsoft.com/manuals/user/user.html>
>
>
________________________________________________________________________
___
> To unsubscribe, send email to [EMAIL PROTECTED] and include in
> the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http:
> Resources: http://java.sun.com/products/servlet/external-
> resources.htmlLISTSERV Help:
> http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
