commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rakesh Patel <>
Subject Re: [DBCP] PerUserPoolDataSource - Problem with changing passwords
Date Mon, 28 Nov 2005 09:20:37 GMT

I think the reason no one answered your post is that your use of DBCP is 
very unusual. Generally, you would use DBCP to maintain a pool of 
connections where each connection is identical (ie created with the same 
username/password) and is NOT an actual application user.

This account is generic and allows access to the db but additional work 
is required for authentication and authorisation.

This is how i used DBCP recently:

1. Created a table of usernames/passwords in the db. eg AKohlbecker.
2. Create a DB USER java_app/java_app.
3. Configure DBCP to create a pool of java_app connections.
4. Create a login page and collect username/password from form (eg 
5. Using one of the connections, issue SQL to verify the 
username/password provided.

The java_app account doesn't need to have its password changed.

Hope thats clear,

Andreas Kohlbecker wrote:

> Since i did not received any response on my question in this 
> mailinglist since 10 days, this posting is now moved to the 
> mailinglist !!!
> Andreas Kohlbecker schrieb:
>> (I already posted this question some weeks ago. Unfortunately I forgot
>> to add the 'reply to' address. Thus i'm trying it again ..)
>> We are using the DBCP PerUserPoolDataSource as GlobalNamingResource in
>> tomcat 5.5. Users have the option to change the password by a special
>> webpage. After a password has been changed, access to the database fails
>> because the password stored in the connection pool differs now from
>> the newly chosen password. Requesting a new Connection for this user by
>> calling the PerUserPoolDataSource.getConnection(String username, String
>> password) method throws an expected exception:
>> java.sql.SQLException: Given password did not match password used to
>> create the PooledConnection.
>> Thus: The old password is no longer accepted by the database. And using
>> the new one is denied by the InstanceKeyDataSource. How can this dilemma
>> be solved? Restarting the ServletContainer every time a user's password
>> is changed seem not feasible to me.
>> The only solution I found is to reimplement the PerUserPoolDataSource,
>> PerUserPoolDataSourceFactory and InstanceKeyObjectFactory in a separate
>> package and to change the 'getPooledConnectionAndInfo(String username,
>> String password)' method in such way, that it registers a new pool for a
>> user if its password has changed:
>> -----snipp-------
>> PooledConnectionAndInfo info = null;
>>     try {
>>         info = (PooledConnectionAndInfo)((ObjectPool) 
>> pool).borrowObject();
>>         if(!info.getPassword().equals(password)){
>>             // password has changed -> register new pool for this user
>>             try {
>>                 key = getPoolKey(username);
>>                 registerPool(username, password);
>>                 pool = pools.get(key);
>>             } catch (NamingException e) {
>>                 throw new SQLNestedException("RegisterPool failed", e);
>>             }
>>             info = (PooledConnectionAndInfo)((ObjectPool)
>> pool).borrowObject();
>>         }
>>     }
>>     catch (Exception e) {
>>         throw new SQLNestedException(
>>             "Could not retrieve connection info from pool", e);
>>     }
>> -----snipp-------
>> Is there another solution? If not, I would suggest updating the next
>> DBPC release to include an appropriate method to deal with password 
>> changes.
>> Andreas Kohlbecker

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message