Reputation: 3942
Creating multiple Connection objects for multiple users
I have written a web app using Java EE for altering the contents of a table. For user authentication I am using the database credentials of the user. I am creating the JDBC connection using these credentials.
The problem arose when two or more user simultaneously logged in and the Connection object got updated with the credentials of the latest user. So no matter which user made the changes, the username of the latest user gt logged in the log file, which is a massive security issue.
So how can I create multiple Connection objects for multiple users so that the only username of the user who is making the modification gets in the log.
Upvotes: 1
Views: 1366
Answers (2)
Reputation: 5291
This sounds as if you were storing a reference to your connection objects in a static variable, keeping just a single connection object in your web application. Instead of that, you can make use of HttpSession to store a user-specific connection object in user's session as an attribute. Store the connection there at the first time user accesses the application, then, at each subsequent request, get the connection back, check if it is still valid and use it.
Also do not forget to close the connection once the session timeouts. This can be achieved by implementing a HttpSessionListener that checks for any connections in session and closing it in sessionDestroyed() method.
EDIT: For multiple reasons, it is usually not a good design to use DB credentials to let users log on to an application. However, with low number of sessions (and thus low number of connections simultaneously opened on the DB) and with DB rights reasonably set, this still might work well.
EDIT 2: And of course, access to such a cached connection needs to be synchronized (say, in case a user tries to hit your app with multiple simultaneous requests, e.g. by having multiple browser windows open). This might be a (little) tricky.
Upvotes: 1
Reputation: 12296
You may want to store username/password/etc in HttpSession rather than keeping list of connections opened and assigned to a user. Imagine that there will be tens or hundreds of users - will RDBMS handle such number of concurrent connections correctly? what about thousands of users?
Upvotes: 1
Related Questions
- Two java web application. How to allow users to use it across with their respective login
- Multiple login-config for Java webapp
- Tomcat: Multiple authentication schemes for a single web application?
- JAX-RS: Authenticate with multiple principals (more than just username)
- How to create and maintain one jdbc connection per user in web app (Spring/Vaadin)?
- Single sign on for multiple web applications in Java
- How to differentiate users in web application
- Java Authenticator on a per connection basis?
- How to create one database connection per user on a Java Servlet application?
- How to organize and manage multiple database credentials in application?