• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Tomcat security

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello.
I need to know, how can Tomcat restrict DB connections for classes. For example, I want my app could connect and read db, but had no permissions to write and delete entries. Is it catalina.policy file, or web.xml / server.xml files have to be changed? I know, Tomcat supports IP access, but there's no information about working with db. I guess, removing

entries from catalina.policy can restrict db access, but I need more flexible settings. Help please.
 
Ranch Hand
Posts: 624
9
BSD Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Not sure about tomcat, but I have implemented this kind of thing in database itself.
There are 2 ways.
1. Create view of the specific tables. Thus user can only read from them, cannot modify or delete records.
2. Create another schema and give select permission to your specific schema. Create a connection from Java for that new schema. Thus user can only read data.

Depending on requirement one of the method can be implemented.
 
Saloon Keeper
Posts: 7585
176
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This goes beyond what Tomcat can do. You'll need to implement it some other way, possibly along the lines of what Tapas suggests.
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Actually, this does fall under Tomcat's remit. Well-designed webapps* in Tomcat acquire Connections from a Database Connection Pool which Tomcat constructs. The Connections are bound to a database (JDBC) driver. It would have to be the driver that enforced read-only behavior.

So, in short, if your database supports a JDBC connection URL whose properties include a read-only attribute, you can use that URL form when you define the Connection Pool and then it would be read-only.

I don't know offhand what, if any DBMS's support that feature, however. The more common approach is as Tapa suggests - create a DBMS userid that has only SELECT privileges for the database and define your Connection Pool using that userid.

===
*As opposed to webapps that use brute-force getConnection() calls directly to the DriverManager.
 
Daniel Pen
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok, I understand .policy file configures JVM granting objects permissions, and the primary idea of it is to restrict applications' access to webserver:  it's configuration files, file system, JVM properties, etc. In other words, there are "inside" restrictions. It's clear about the scopes of inside access. But what about "outside" access restrictions? I still can't find answer - which applet external activity restrictions do exist? If I'm not mistaked, the applet can connect to any DB (no guarantees it'll be successfull, but it can try), ''walk freely on web". SocketPermission is not suitable here, cause it doesn't provide any flexible settings, I can only choose between "restrict evrthg" and "allow evrthg".

Note: Here we're talking about the applet as about the blackbox, considering the situation I have no abilities to change it's code but need to control it's behavior by Tomcat capabilities. I think it's doable thing, but I haven't enough skills.
 
Daniel Pen
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:Actually, this does fall under Tomcat's remit. /.../


Thank you for your reply, it's quite close to information I wanted to know.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic