Sam Rose wrote: > I've limited them to be able to > > Create/delete users/roles/views/tables > > They can do a few more things, what could the worst thing I allow them > to do, I mean I won't allow DBA access or anything near that. > So accessing my DB should in theory be ok, as all users have a role > which limits their actions. > > Or is this wrong? Well, here's a few questions that should help you decide whether it's okay to just have one account for the servlet itself (which is probably more common): 1. Do the users have _different_ rights? 2. Is someone watching the database logs to see what a particular user does (or is this necessary)? If the answer to both of the questions is no, then you're not gaining anything by passing the db user name/password through the servlet, and your life will be simpler if you just use one account for the servlet itself. You will, however, probably need some table of user accounts/passwords that the servlet uses if you're providing any type of authentication. I know this doesn't answer your last question, but I thought I'd throw it in anyway <grin>. > > > -----Original Message----- > From: Henry J. Cobb [SMTP:[EMAIL PROTECTED]] > Sent: Monday, March 29, 1999 3:29 PM > To: [EMAIL PROTECTED] > Subject: Don't deploy generic user ID and password for database > access. > > Instead, have a property file that reveals a user ID and password for > your > servlet that ONLY has permissions to run a few SQL functions in your > database. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Kito D. Mann [EMAIL PROTECTED] Virtua Communications Corp ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
