[jboss-user] [Datasource Configuration] - Datasource security

Khurram Chaudhry do-not-reply at jboss.com
Wed Jul 28 14:24:53 EDT 2010


Khurram Chaudhry [http://community.jboss.org/people/kilyas] created the discussion

"Datasource security"

To view the discussion, visit: http://community.jboss.org/message/554875#554875

--------------------------------------------------------------
Like any normal application running on JBoss I am using JBoss managemed datasources in the applications running on the app server for DB interaction.  It has been working fine till now when we came across a new requirement.  The new requirement is such that not all the users should have the permissions to update the data, e.g

A user John logs into an application running on JBoss and requests some information from the database.  Now once the data is returned to him not only does he have the permissions to view it but he could also delete/update the information.  While when another person Bob might just view the information.  So apparently I would to ensure that the connections established with the database in these cases should be as themselves and these users' permissions should be defined in the database while creating these users.  Apparently in such a case we might be bypassing the connection pool(please correct me if I am wrong).  Also is there a way to define such a connection in the datasource xml file where the username/password information is left to the application level?

Secondly we have generic accounts defined in the datasource file.  These accounts have read/write priviliges to the DB.  e.g boatrade/password has beed defined in the ds file as follows:-

*<local-tx-datasource>
    <jndi-name>TradeTestOracleDS</jndi-name>
    <connection-url>jdbc:oracle:thin:@trmpd_pkg.bankers.com:1521:trmpd</connection-url>
    <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
    <max-pool-size>100</max-pool-size>
    <user-name>boatrade</user-name>
    <password>test</password>
    <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
    <metadata>
      <type-mapping>Oracle9i</type-mapping>
    </metadata>
  </local-tx-datasource>*


Since this datasource is defined in the ds file is there a way in JBoss to ensure that this ds is only used for select statements and no updates/deletes are performed using this ds?  Or that only these set of applications can use this datasource and nobody else has access to this DS?

Thanks in advance.

--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/554875#554875]

Start a new discussion in Datasource Configuration at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2077]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20100728/c9c2dea8/attachment.html 


More information about the jboss-user mailing list