how to control the login security of a web application using database?

Dear experts,

I have developed something which I am not sure if it is the best way to do it.

I am trying to control user login by query the Oracle database.
1. I create an user account in the database for the user, therefore, I pass the login to Oracle driver to varified the user--
DriverManager.getConnection(url, id, pwd);
The bad thing is I have to create login for each user, which I don't think is correct.

2. The other way I am thinking is create an "user_account" table, which store the login for all users. By querying against this table, I could varify the user. However, then I have to connect to the database first, before I can query the "user_account" table to varify the user, which means the application has to connect to database right after it starts. Is this the good approach for this type of problem?

Thanks.
changcy77Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

girionisCommented:
 You have to connect to database anyway in order to verify that the suer has the right password/username. Except if you store username/password in a flat/XML file.
0
changcy77Author Commented:
Thanks for response.

But, my first approach, whcih use user's login to connect to the database does not guarenteed the connection to database. So, the application don't have to connect to database unless the user's login is correct.
0
girionisCommented:
 Yes true if the username/password are wrong then there is no connection object. The thing is though that the trip to the database is done anyway. Besides you will need a connection object for every user. If you have 1000 users that means 1000 connection objects. The more users you have the more cumbersome it will be for the database (of course there is always the connection pooling solution).

  With the second approach you also do not need to create log in for every user, which (creating login for every user) is always more hack-prone since now your database is vulnerable to more people.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

changcy77Author Commented:
thanks.

But, I am not totally clear about your suggestion. Do you mean:
1. Connect to the database when the application starts anyway?
2. But, I am also using JavaBean to pass data to database. Should I release the connection everytime the query is done and reconnect for next query? Or just leave the connection until the application is closed?
0
fargoCommented:
Hello changcy77,

I suppose you are little bit deviate with the use of user/password used for database connection and the user/password used for application use.

The user/password used for database connection will always remains same. You have to define certain rights in the database for the users to administer or only read rights or whatever....

and those who user/password which are used for your application login is different....Your second approach is the normal approach in all cases. You need to create a table to maintain the user authentications....

So the bottom line is.....use second approach..and define user/password to connect to the database..u need a connection to the database to check the login user.

Hope it clears the stand.
happy working
fargo
0
girionisCommented:
1), 2) This is entirely up to you and to your application's specification. Do you see the need to connect on startup or not? Does it take a long time to connect so it's better to do it at start up? Do you see your users only querring the database periodically or quite often? How many users do you see connecting/querring?

0
changcy77Author Commented:
thanks to both experts.

I think my question now are
1." could multiple JavaBeans share one database connection?"


 
0
changcy77Author Commented:
thanks to both experts.

I think my question now are
1." could multiple JavaBeans share one database connection?"


 
0
changcy77Author Commented:
thanks to both experts.

I think my question now are
1." could multiple JavaBeans share one database connection?"


 
0
changcy77Author Commented:
thanks to both experts.

I think my question now are
1." could multiple JavaBeans share one database connection?"


 
0
girionisCommented:
 Yes they can. Just have another class that holds the connection and then return it to every class requesting it. Be careful to synchronize the connection if multiple objects are going to use it at the same time.
0
girionisCommented:
 You might also want to take a look here: http://www.webdevelopersjournal.com/columns/connection_pool.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fargoCommented:
Hii changcy77,

girionis is correct with his answer..moreover the link is perfect one....In the article, a properties file is used for getting the driver, user password ...u can even make use of ini files to do the same. Well, it depends upon ur requirements.

Have a nice time
good luck
fargo
0
changcy77Author Commented:

Thanks.
the link is very good.

But, I am still not totally clear about how JavaBean interact with Connection in terms of accessing database, when to create a connection, when to release, which connection to use,..?  Does anyone have a complete and good example that I can use as reference?

Thanks again.
 
0
girionisCommented:
 I suggst if users will be performing db operations constantly then leave the connection open. Otherwise close it and open it every time a user requests something.
0
changcy77Author Commented:

Thanks.
the link is very good.

But, I am still not totally clear about how JavaBean interact with Connection in terms of accessing database, when to create a connection, when to release, which connection to use,..?  Does anyone have a complete and good example that I can use as reference?

Thanks again.
 
0
changcy77Author Commented:
the sample code is helpful. thanks
0
girionisCommented:
 Thank you. I am glad I helped :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JSP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.