db-torque-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Lukshides <luksh...@us.ibm.com>
Subject RE: Getting access to the db connections
Date Mon, 24 Mar 2003 23:48:01 GMT

Eric, thanks for your input.  We're actually using WebSphere.  I assume
Torque can use WebSphere's connection pool, but there is pretty scant
documentation on Torque in general and none that I've found that is
WebSphere specific.  When you say that the container sets up the pool, does
Tomcat have the ability to call a stored procedure for each connection


|         |           EPugh@upstate.com|
|         |                            |
|         |           03/24/2003 06:23 |
|         |           PM               |
|         |           Please respond to|
|         |           "Turbine Torque  |
|         |           Users List"      |
|         |                            |
  |       To:       torque-user@db.apache.org                                            
  |       cc:                                                                            
  |       Subject:  RE: Getting access to the db connections                             

One thing you could use in connection pooling defined by the Tomcat
container (if that is what you are using).  Then it means the container
setsup the pool, and your app doens't have a username/password, just a
reference to the pool setup by the container.

Then it would be up to the container to provide proper security of the
username and password.

What you have sounds pretty icky and resource intensive...  Security by
obfuscation is typically not real secure!


-----Original Message-----
From: Steve Lukshides [mailto:lukshide@us.ibm.com]
Sent: Monday, March 24, 2003 6:25 PM
To: torque-user@db.apache.org
Subject: Getting access to the db connections

Hi All,

Our Oracle DB Admin insists that we run a stored procedure for each
connection made to the database.  I'm not an Oracle DBA so forgive me if
this explanation is less than clear.  As a security measure he expects
every connection made to the database to call a stored procedure to set the
application's role.  The idea is to prevent someone from logging on to the
DB through SQL Plus with the user name and password that Torque uses and
gain rights to use the database.  If someone were to discover the
username/password that Torque uses and then logs on through SQL Plus they
would not gain any rights until the SP is executed, which they are not
likely to know and will be difficult to discover.

So my question is, how can I get at each connection that Torque
establishes, preferably at the time it is established, and use it to
execute the SP on?  Is this practical?  Is there a better way to do this?

Steve Lukshides

Sr. I/T Specialist, IBM Global Services
1475 Phoenixville Pike, West Chester, PA 19380
Phone: 610-989-0340
Voice Mail: 610-578-2385  IBM Tie Line: 873-2385
Email: lukshide@us.ibm.com

To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org

View raw message