Sam, Whatever you do is wrong depending on how secure your data needs to be. No amount of hoops will change the fact that you are allowing people on the Internet to connect to your internal database. You obviously need to have them do this so don't worry. Take plenty of back ups and force the users passwords to change one per month. Make sure the web server security logs are scanned for any attempt to hack, make sure that the users and managers of the system are aware. Make it a disciplinary offence to tell anyone else your password. Start ringing the users up and asking them for their password and if they tell you, tell them you're going to sack them (I actually did that at one Govt estab I was at, it soon cured them I can tell you). Make sure that there is no REALLY sensitive data in the data base. Use roles or groups to ensure that no one can do anything that they shouldn't. All of these options and more are going to ease the problem whereas NO tricks or tips are going to work in the end and have the effect of making you relax. I am not saying we shouldn't try to make web based apps secure but we should also undertsnad that most of the time we can't do it. Especially in an app like this. All that is being suggested is obfuscation. Which is not enough to stop a hacker. Nic Ferrier Tapsell-Ferrier Ltd www.tapsellferrier.co.uk >>> Sam Rose <[EMAIL PROTECTED]> 3/29/99 3:45:39 PM >>> I've limited them to be able to Create/delete users/roles/views/tables They can do a few more things, what could the worst thing I allow them to do, I mean I won't allow DBA access or anything near that. So accessing my DB should in theory be ok, as all users have a role which limits their actions. Or is this wrong? -----Original Message----- From: Henry J. Cobb [SMTP:[EMAIL PROTECTED]] Sent: Monday, March 29, 1999 3:29 PM To: [EMAIL PROTECTED] Subject: Don't deploy generic user ID and password for database access. Instead, have a property file that reveals a user ID and password for your servlet that ONLY has permissions to run a few SQL functions in your database. _______________________________________________________________________ ____ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
