No, the second item isn't all correct. You can do a kind of access control
to define what "perfil" does that user have. If the "perfil" can do the
query so it do. The account is only to access the database , but what will
anybody see, it'll be defined with the access control.
[ ]'s
Luciano Coelho
Sun Certified Programmer for Java2
e-Sec Data Security Technology
[EMAIL PROTECTED]
-----Mensagem original-----
De: Edward W. Rouse <[EMAIL PROTECTED]>
Para: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Data: Quarta-feira, 8 de Dezembro de 1999 12:55
Assunto: Re: Database authentication
>There's a third possibility. Create a database account for every user role
(or
>user), authentication is done by the servlet and passed through to the
database
>for additional authentication.
>
>#1 is OK, but if the user has to authenticate on the site anyway, why have
them
>enter a user name and password twice?
>
>#2 is open to abuse. If all data is access using one account, then
everybody
>can see everybody else's data. If this is not an issue, yet, what about in
the
>future? Or maybe I'm just paranoid;-)
>
>Ed.
>
>Heiko Gottschling wrote:
>
>> Hi,
>>
>> I'm working on a project which includes accessing a database from a
>> servlet. Now I'm wondering what is the best way to do so. There are two
>> possibilities:
>>
>> 1. Create a database account for every user. On login, the servlet asks
>> for the user's password and uses the user's login & password to create a
>> connection with the database. Authentication is performed by the
>> database.
>>
>> 2. The servlet gets an account of its own. Authentication is done by the
>> servlet. All database communication is performed over the servlet
>> account.
>>
>> Each has its advandates and disadvantages, e.g. with the first approach
>> I can rely on the database's elaborate access privilege system (which I
>> would have to implement myself otherwise), while with the second
>> approach I may use connection pooling...
>>
>> Are there any other points which favor any of the possibilities?
>>
>> thx
>> Heiko
>>
>>
___________________________________________________________________________
>> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
>> of the message "signoff SERVLET-INTEREST".
>>
>> Archives: http://archives.java.sun.com/archives/servlet-interest.html
>> Resources: http://java.sun.com/products/servlet/external-resources.html
>> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
>___________________________________________________________________________
>To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
>of the message "signoff SERVLET-INTEREST".
>
>Archives: http://archives.java.sun.com/archives/servlet-interest.html
>Resources: http://java.sun.com/products/servlet/external-resources.html
>LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
