> We access DB2 on OS/390 using DB2 Connect v5.2 and v7.2. > Our DB2 Connect guys will install only one datasource for > each DB2 database. This was not a problem when we had only > one application accessing each database - we just put the > application username/password in CF Administrator. Now we > have multiple applications, each with its own username/password, > that need to share the same datasources so we cannot put > the username/password in CF Administrator. > > One solution is to specify the appropriate username/password > in each application's Application.cfm file, but of course > this exposes the username/password and is a security breach. > > How can we get around this? If we have multiple applications, > each of which needs to use the same datasource, but each with > its own username/password for access to the datasource, how > can we pass the appropriate username/password while not > exposing them? > > We're running CF 5.0 on Win2000 Advanced Server, IIS 5.0.
I'm not sure exactly who you're concerned about exposing them to. If you're concerned about exposing them to end-users, that's not a likely thing anyway, since an end-user won't be able to read the source of Application.cfm. If, on the other hand, you're more concerned about exposing them to other developers on the server, well, you're probably already exposing them, since any developer will be able to get that information with a tiny bit of work unless you're using Advanced Security. However, you do have some options to make life more difficult for nosy developers, although they'll probably make your life more difficult as well. You could store this information in an encrypted file, and use a third-party package to perform the unencryption; there are many different ways you could implement something like this. Of course, the same base problem would remain - somewhere on the machine, you'd have a key to perform the unencryption, and the nosy developer would just have to find the key. So, if this is something that you're really concerned about, you'd want to not store the data persistently on the machine at all; this would essentially require you to provide the data when needed from outside the machine. For example, within Windows itself, you can configure the security account manager to require a password before startup - you'd have to enter this password to allow the machine to boot. The WebSite web server software has a similar option for protecting SSL keys. You could build something like this, but it would be a decent amount of work and may cause availability problems. However, if you're more interested in this approach, contact me offlist and we can talk about it - I can always drive up to Woodlawn. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
