[jboss-user] [Datasource Configuration] - question on securing a datasource

[Hans Williamson]

hswritter [http://community.jboss.org/people/hswritter] created the discussion

"question on securing a datasource"

To view the discussion, visit: http://community.jboss.org/message/570602#570602

--------------------------------------------------------------
I'm currently using an SLSB that validates a user's login to a database where the database is configured to lock the user's account after several bad password attempts.  If I have a previous valid connection for a user still active in the jboss database connection pool and a new login attempt has locked the user's account, I find an application can still attempt to 'guess' the user's password until the previous active connection in the pool expires due to the idle timeout setting.  An application can keep guessing the user's password and if it gets it correct, the previous active connection in the pool allows the appliction to connect to the database even if it is originating from a different ip address.  Is there a way I can get a reference to the jboss database pool to flush out active connections for this situation or another way to make this more secure?
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/570602#570602]

Start a new discussion in Datasource Configuration at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2077]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20101110/487eaad0/attachment.html