accessing databases

Depends on what sort of security you want, and how sensitive the data
is. Amazon lets me create a new userid and password everytime I sign on.
I doubt an online bank would permit that.

TP wrote:

Hi,

I am doing my first database project using java servlets.

We are going along fine but I have a question about how should one
access a database.

We have the URL, userid and pwd in a text secured file or maybe in
web.xml. somewhere where the user does not access it.

The argument is that my colleague thinks (who is also doing his first
db project) that the userid and pwd should be dynamic, like something
that the user should provide everytime he wants anything from the
database.

So how should it be, once for each servlet or once every connection?

Thanks.

TP.

Any other ideas people. This is a question from an inexperienced
person dealing with databases.

Thanks.

tP.
Blair Adamache <ba*******@2muchspam.yahoo.com> wrote in message news:<bv**********@hanover.torolab.ibm.com>...

Depends on what sort of security you want, and how sensitive the data
is. Amazon lets me create a new userid and password everytime I sign on.
I doubt an online bank would permit that.

TP wrote:

Hi,

I am doing my first database project using java servlets.

We are going along fine but I have a question about how should one
access a database.

We have the URL, userid and pwd in a text secured file or maybe in
web.xml. somewhere where the user does not access it.

The argument is that my colleague thinks (who is also doing his first
db project) that the userid and pwd should be dynamic, like something
that the user should provide everytime he wants anything from the
database.

So how should it be, once for each servlet or once every connection?

Thanks.

TP.

tp******@hotmail.com (TP) wrote in message news:<59**************************@posting.google. com>...

We have the URL, userid and pwd in a text secured file or maybe in
web.xml. somewhere where the user does not access it.

The argument is that my colleague thinks (who is also doing his first
db project) that the userid and pwd should be dynamic, like something
that the user should provide everytime he wants anything from the
database.

I don't think that storing your userdata in a file is very practical.
You'll run into trouble if multiple threads try to update the file
(e.g. a new user is registered).

I suggest you to specify to db users, a web user and a system user.
The system user maintains a table with the user data (and passwords).
This table is only readable for the system user. The servlet will use
the web user to login into the database. If the web user wants to
authorize a login request, it calls a stored procedure created by the
system user which checks the provided login data against the table and
returns wether the data is correct (= login ok) or not. Use the
servlet's http-session to indicate if a user has successfully provided
his login data or not.

This way, your user data and passwords remain in a maintainable format
(db table) and the password isn't readable in case your web
application contains a sql-injection vulnerability.
hth

Thats a really good idea.

This is what my situation is, we use db2 database to retrieve
information as a second step from an already created web application
which has its login procedures. (as a portlet maybe) so basically when
a user wants to access db2 he has already been authenticated into the
system.

the way that we are using db2 is, we store the required user id and
pwd information in web.xml, retrieve it on init(), store it in
httpsession and send it to db2 on ever db transaction.

so in this case threading will not be an issue (bcoz of httpsession)

so according to you, is what we are doing valid? wud like some
comments.

Thanks.

TP.
ny***@gmx.net (Almund Sebi) wrote in message news:<94**************************@posting.google. com>...

tp******@hotmail.com (TP) wrote in message news:<59**************************@posting.google. com>...

We have the URL, userid and pwd in a text secured file or maybe in
web.xml. somewhere where the user does not access it.

The argument is that my colleague thinks (who is also doing his first
db project) that the userid and pwd should be dynamic, like something
that the user should provide everytime he wants anything from the
database.

I don't think that storing your userdata in a file is very practical.
You'll run into trouble if multiple threads try to update the file
(e.g. a new user is registered).

I suggest you to specify to db users, a web user and a system user.
The system user maintains a table with the user data (and passwords).
This table is only readable for the system user. The servlet will use
the web user to login into the database. If the web user wants to
authorize a login request, it calls a stored procedure created by the
system user which checks the provided login data against the table and
returns wether the data is correct (= login ok) or not. Use the
servlet's http-session to indicate if a user has successfully provided
his login data or not.

This way, your user data and passwords remain in a maintainable format
(db table) and the password isn't readable in case your web
application contains a sql-injection vulnerability.
hth

And if needed, you can use the encrypt and decrypt functions in DB2 to
encrypt any password data you store in a table.

Almund Sebi wrote:

tp******@hotmail.com (TP) wrote in message news:<59**************************@posting.google. com>...

We have the URL, userid and pwd in a text secured file or maybe in
web.xml. somewhere where the user does not access it.

The argument is that my colleague thinks (who is also doing his first
db project) that the userid and pwd should be dynamic, like something
that the user should provide everytime he wants anything from the
database.

I don't think that storing your userdata in a file is very practical.
You'll run into trouble if multiple threads try to update the file
(e.g. a new user is registered).

I suggest you to specify to db users, a web user and a system user.
The system user maintains a table with the user data (and passwords).
This table is only readable for the system user. The servlet will use
the web user to login into the database. If the web user wants to
authorize a login request, it calls a stored procedure created by the
system user which checks the provided login data against the table and
returns wether the data is correct (= login ok) or not. Use the
servlet's http-session to indicate if a user has successfully provided
his login data or not.

This way, your user data and passwords remain in a maintainable format
(db table) and the password isn't readable in case your web
application contains a sql-injection vulnerability.
hth