tp******@hotmail.com (TP) wrote in message news:<59**************************@posting.google. com>...
We have the URL, userid and pwd in a text secured file or maybe in
web.xml. somewhere where the user does not access it.
The argument is that my colleague thinks (who is also doing his first
db project) that the userid and pwd should be dynamic, like something
that the user should provide everytime he wants anything from the
database.
I don't think that storing your userdata in a file is very practical.
You'll run into trouble if multiple threads try to update the file
(e.g. a new user is registered).
I suggest you to specify to db users, a web user and a system user.
The system user maintains a table with the user data (and passwords).
This table is only readable for the system user. The servlet will use
the web user to login into the database. If the web user wants to
authorize a login request, it calls a stored procedure created by the
system user which checks the provided login data against the table and
returns wether the data is correct (= login ok) or not. Use the
servlet's http-session to indicate if a user has successfully provided
his login data or not.
This way, your user data and passwords remain in a maintainable format
(db table) and the password isn't readable in case your web
application contains a sql-injection vulnerability.
hth