?
Solved

how to control the login security of a web application using database?

Posted on 2003-03-12
18
Medium Priority
?
166 Views
Last Modified: 2010-04-01
Dear experts,

I have developed something which I am not sure if it is the best way to do it.

I am trying to control user login by query the Oracle database.
1. I create an user account in the database for the user, therefore, I pass the login to Oracle driver to varified the user--
DriverManager.getConnection(url, id, pwd);
The bad thing is I have to create login for each user, which I don't think is correct.

2. The other way I am thinking is create an "user_account" table, which store the login for all users. By querying against this table, I could varify the user. However, then I have to connect to the database first, before I can query the "user_account" table to varify the user, which means the application has to connect to database right after it starts. Is this the good approach for this type of problem?

Thanks.
0
Comment
Question by:changcy77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
  • 2
18 Comments
 
LVL 35

Expert Comment

by:girionis
ID: 8121029
 You have to connect to database anyway in order to verify that the suer has the right password/username. Except if you store username/password in a flat/XML file.
0
 

Author Comment

by:changcy77
ID: 8121078
Thanks for response.

But, my first approach, whcih use user's login to connect to the database does not guarenteed the connection to database. So, the application don't have to connect to database unless the user's login is correct.
0
 
LVL 35

Expert Comment

by:girionis
ID: 8121155
 Yes true if the username/password are wrong then there is no connection object. The thing is though that the trip to the database is done anyway. Besides you will need a connection object for every user. If you have 1000 users that means 1000 connection objects. The more users you have the more cumbersome it will be for the database (of course there is always the connection pooling solution).

  With the second approach you also do not need to create log in for every user, which (creating login for every user) is always more hack-prone since now your database is vulnerable to more people.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:changcy77
ID: 8121336
thanks.

But, I am not totally clear about your suggestion. Do you mean:
1. Connect to the database when the application starts anyway?
2. But, I am also using JavaBean to pass data to database. Should I release the connection everytime the query is done and reconnect for next query? Or just leave the connection until the application is closed?
0
 
LVL 11

Expert Comment

by:fargo
ID: 8121515
Hello changcy77,

I suppose you are little bit deviate with the use of user/password used for database connection and the user/password used for application use.

The user/password used for database connection will always remains same. You have to define certain rights in the database for the users to administer or only read rights or whatever....

and those who user/password which are used for your application login is different....Your second approach is the normal approach in all cases. You need to create a table to maintain the user authentications....

So the bottom line is.....use second approach..and define user/password to connect to the database..u need a connection to the database to check the login user.

Hope it clears the stand.
happy working
fargo
0
 
LVL 35

Expert Comment

by:girionis
ID: 8122533
1), 2) This is entirely up to you and to your application's specification. Do you see the need to connect on startup or not? Does it take a long time to connect so it's better to do it at start up? Do you see your users only querring the database periodically or quite often? How many users do you see connecting/querring?

0
 

Author Comment

by:changcy77
ID: 8122627
thanks to both experts.

I think my question now are
1." could multiple JavaBeans share one database connection?"


 
0
 

Author Comment

by:changcy77
ID: 8122652
thanks to both experts.

I think my question now are
1." could multiple JavaBeans share one database connection?"


 
0
 

Author Comment

by:changcy77
ID: 8122767
thanks to both experts.

I think my question now are
1." could multiple JavaBeans share one database connection?"


 
0
 

Author Comment

by:changcy77
ID: 8122884
thanks to both experts.

I think my question now are
1." could multiple JavaBeans share one database connection?"


 
0
 
LVL 35

Expert Comment

by:girionis
ID: 8122928
 Yes they can. Just have another class that holds the connection and then return it to every class requesting it. Be careful to synchronize the connection if multiple objects are going to use it at the same time.
0
 
LVL 35

Accepted Solution

by:
girionis earned 200 total points
ID: 8122958
 You might also want to take a look here: http://www.webdevelopersjournal.com/columns/connection_pool.html
0
 
LVL 11

Expert Comment

by:fargo
ID: 8126321
Hii changcy77,

girionis is correct with his answer..moreover the link is perfect one....In the article, a properties file is used for getting the driver, user password ...u can even make use of ini files to do the same. Well, it depends upon ur requirements.

Have a nice time
good luck
fargo
0
 

Author Comment

by:changcy77
ID: 8130668

Thanks.
the link is very good.

But, I am still not totally clear about how JavaBean interact with Connection in terms of accessing database, when to create a connection, when to release, which connection to use,..?  Does anyone have a complete and good example that I can use as reference?

Thanks again.
 
0
 
LVL 35

Expert Comment

by:girionis
ID: 8130825
 I suggst if users will be performing db operations constantly then leave the connection open. Otherwise close it and open it every time a user requests something.
0
 

Author Comment

by:changcy77
ID: 8131577

Thanks.
the link is very good.

But, I am still not totally clear about how JavaBean interact with Connection in terms of accessing database, when to create a connection, when to release, which connection to use,..?  Does anyone have a complete and good example that I can use as reference?

Thanks again.
 
0
 

Author Comment

by:changcy77
ID: 8153747
the sample code is helpful. thanks
0
 
LVL 35

Expert Comment

by:girionis
ID: 8157835
 Thank you. I am glad I helped :-)
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
The Summer 2017 Scholarship Winners have been announced!
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question