Vince said:
> Just keep connections i the pool, open the
> connection as administrator (or
> at least someone who can switch user-ids).
> Then when the client requests a connection, switch from > administrator-user
> to whatever user you want and use the connection.
> Switch back after the client is done with the
>connection and it is restored
> in the pool.
> There is a drawback to this.
> You are giving up security.
Ummm... That's actually a pretty big security hole. There might be
environments where it is OK, but from your description I would assume
that:
a) The .class files are hard-coded with the sa password, which means
that it exists as a legible string within the .class file and can be
read by anyone who gets access to it. While you might restrict access
to the server on which the servlet runs, this is no guarantee, which is
why passwords are usually encrypted in the server's files...
...and
b) Any client can request a connection, and it is the responsibility of
an intermediate broker to substitute in the proper user's login (and
password?) If a privliged connection is returned by default to the
requesting process and it is allowed to take care of the substitution,
it would seem that anyone could request and get a sa connection to your
database. Again, it wouldn't necessarily happen from someone just using
their favorite web browser and following along the lines of your app,
but I'm thinking it opens up issues that a malicious user or even
less-than-competent programmer could use to blow away your data. I'm
totally not convinced that the speed gain here is worth that kind of
risk... All IMHO, of course...
Now, if you could have a "guest" resource open (someone with MO privs,
or only the most basic), and within that connection "su" to a real users
account, that might be a Big Win. I'm pretty sure that would be a
database specific implementation, but its interesting enough that I
think I'm going to look into it...
--
Within C++ is a smaller, cleaner language
struggling to get out.
It's called Java.
Thomas Moore
[EMAIL PROTECTED] Home Account
Software.Engineer [EMAIL PROTECTED]
phone://732.462.1880:268 NJ Patterns Group Home Page
employer://Celwave, RF http://members.home.net/twmoore/cjpg
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
