db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tushar Kale <tk...@w3apps.com>
Subject Need help in designing secure database application
Date Sat, 13 Feb 2010 03:18:02 GMT

The use case is as follows. 

The application uses embedded derby. The information in the database needs
to be secured. Users should not be able to list tables and table columns or
get the data using select statements.

My original thought was to implement the application logic as stored
procedures, create a user in the database and give this user (who is not a
database owner) the execute permission on stored procedures. Java
application will use the CALL statements only and not select statements. I
need to  use connection authorization and SQL authorization both. 

In the JAva program, user name and password will be used to connect to the
database. My problem is, if I start the database with user name and
password, this user cannot shutdown the database as he is not the database
owner. I don't want to use the database owner name and password in the Java
program as user can decompile the Java program and get the database owner
name and password. 

In short, here is what I am trying to achieve:

Create and encrypt database with database owner name and password. 
Create user in the database with user name and password
Grant Execute permission to user on stored procedures
In the Java program, use user name and password to start the database
Use Call statements to execute business logic
Shutdown the database when done.

I am not sure how to proceed. Any guidance in implementing will be
appreciated.

-- 
View this message in context: http://old.nabble.com/Need-help-in-designing-secure-database-application-tp27572103p27572103.html
Sent from the Apache Derby Users mailing list archive at Nabble.com.


Mime
View raw message