commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ARPON Martín TECSIS <MAR...@TECSIS.COM>
Subject RE: [DBCP] getConnection with credentials unsupported
Date Fri, 21 Feb 2003 21:38:30 GMT
Ok, I see the point. What about checking if the passed credentials are the
same as the ones we 're are creating connections with and in that case
return a connection and in others throw an exception ?



-----Original Message-----
From: PUB: Craig R. McClanahan [mailto:craigmcc@apache.org] 
Sent: Friday, February 21, 2003 5:39 PM
To: Jakarta Commons Developers List
Cc: marpon@tecsis.com
Subject: Re: [DBCP] getConnection with credentials unsupported


On Fri, 21 Feb 2003, ARPON Martín            TECSIS wrote:

> Date: Fri, 21 Feb 2003 12:57:04 -0300
> From: ARPON Martín            TECSIS <MARPON@TECSIS.COM>
> Reply-To: Jakarta Commons Developers List 
> <commons-dev@jakarta.apache.org>
> To: "'commons-dev@jakarta.apache.org'" <commons-dev@jakarta.apache.org>
> Subject: [DBCP] getConnection with credentials unsupported
>
> I see from PoolingDataSource that getConnection(String uname, String 
> passwd) is not implemented and throws UnsupportedOperationException.
>
> The problem with this is that it prevents using Sun 's RowSet 
> implementation, at least, CachedRowSet
> (http://developer.java.sun.com/developer/Books/JDBCTutorial/chapter5.h
> tml)
>
> This code doesn 't work when "jdbc/coffeesDB" gets a 
> dbcp.PoolingDataSource:
>
>
>   CachedRowSet crset = new CachedRowSet();
>   crset.setCommand("SELECT * FROM COFFEES");
>   crset.setDataSourceName("jdbc/coffeesDB");
>   crset.execute();
>
>
> >From what I see, RowSets with DataSources appear to always call
> getConnection(username, password), even when crset.setUsername() and
> crset.setPassword() haven 't been used.
>
> Changing the code like this works:
>
>  public Connection getConnection(String uname, String passwd) throws 
> SQLException {
>         //throw new UnsupportedOperationException();
> 		return getConnection();
>     }
>
> My question is: are there any plans to implement this method? Or, is 
> there any chance to get a standard connection instead of throwing and 
> exception ?
>

I would be -1 on such a patch.  This would create security vulnerabilities
for people who believed that the returned connection really did have only
the privileges of the specified username and password.

> Regards,
>
> Martin
>
> If you wish to reply,  please CC me because I 'm not subscribed. 
> Thanks.
>


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org


Mime
View raw message