Mailing-List: contact commons-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Jakarta Commons Users List" <commons-user@jakarta.apache.org>
Received-SPF: pass (asf.osuosl.org: domain of rakesh.mailgroups@gmail.com
 designates 64.233.184.200 as permitted sender)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding;
        b=O0sEnbVU0bpRfAvcgXBOB3DpZjbt03W7SRa6NWRDzZ+lTqZ/yRSb5wUUCqMn+ZXO24d3cJRneJxFuaGxCcLGeUiCEZZXyEmFoJPjR8+dZB0CFnfLhEHJKsh3BkAy/cmFs/c14ChlhUs0vHRRYTUM8i9g7ou4buu5JRQQagiEMDw=
Message-ID: <438ACBE5.5010604@gmail.com>
Date: Mon, 28 Nov 2005 09:20:37 +0000
From: Rakesh Patel <rakesh.mailgroups@gmail.com>
User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
MIME-Version: 1.0
To: Jakarta Commons Users List <commons-user@jakarta.apache.org>
Subject: Re: [DBCP] PerUserPoolDataSource -  Problem with changing passwords
References: <437C644E.5040906@web.de> <438AB06B.5050808@web.de>
In-Reply-To: <438AB06B.5050808@web.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

I think the reason no one answered your post is that your use of DBCP is 
very unusual. Generally, you would use DBCP to maintain a pool of 
connections where each connection is identical (ie created with the same 
username/password) and is NOT an actual application user.

This account is generic and allows access to the db but additional work 
is required for authentication and authorisation.

This is how i used DBCP recently:

1. Created a table of usernames/passwords in the db. eg AKohlbecker.
2. Create a DB USER java_app/java_app.
3. Configure DBCP to create a pool of java_app connections.
4. Create a login page and collect username/password from form (eg 
AKohlbecker/Cr1cket).
5. Using one of the connections, issue SQL to verify the 
username/password provided.

The java_app account doesn't need to have its password changed.

Hope thats clear,

Rakesh
Andreas Kohlbecker wrote:

> Since i did not received any response on my question in this 
> mailinglist since 10 days, this posting is now moved to the 
> commons-dev@jakarta.apache.org mailinglist !!!
>
>
>
> Andreas Kohlbecker schrieb:
>
>> (I already posted this question some weeks ago. Unfortunately I forgot
>> to add the 'reply to' address. Thus i'm trying it again ..)
>>
>> We are using the DBCP PerUserPoolDataSource as GlobalNamingResource in
>> tomcat 5.5. Users have the option to change the password by a special
>> webpage. After a password has been changed, access to the database fails
>> because the password stored in the connection pool differs now from
>> the newly chosen password. Requesting a new Connection for this user by
>> calling the PerUserPoolDataSource.getConnection(String username, String
>> password) method throws an expected exception:
>>
>> java.sql.SQLException: Given password did not match password used to
>> create the PooledConnection.
>>
>> Thus: The old password is no longer accepted by the database. And using
>> the new one is denied by the InstanceKeyDataSource. How can this dilemma
>> be solved? Restarting the ServletContainer every time a user's password
>> is changed seem not feasible to me.
>>
>> The only solution I found is to reimplement the PerUserPoolDataSource,
>> PerUserPoolDataSourceFactory and InstanceKeyObjectFactory in a separate
>> package and to change the 'getPooledConnectionAndInfo(String username,
>> String password)' method in such way, that it registers a new pool for a
>> user if its password has changed:
>>
>> -----snipp-------
>>
>> PooledConnectionAndInfo info = null;
>>     try {
>>         info = (PooledConnectionAndInfo)((ObjectPool) 
>> pool).borrowObject();
>>         if(!info.getPassword().equals(password)){
>>             // password has changed -> register new pool for this user
>>             try {
>>                 key = getPoolKey(username);
>>                 registerPool(username, password);
>>                 pool = pools.get(key);
>>             } catch (NamingException e) {
>>                 throw new SQLNestedException("RegisterPool failed", e);
>>             }
>>             info = (PooledConnectionAndInfo)((ObjectPool)
>> pool).borrowObject();
>>         }
>>     }
>>     catch (Exception e) {
>>         throw new SQLNestedException(
>>             "Could not retrieve connection info from pool", e);
>>     }
>>
>> -----snipp-------
>>
>> Is there another solution? If not, I would suggest updating the next
>> DBPC release to include an appropriate method to deal with password 
>> changes.
>>
>> Andreas Kohlbecker
>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org