Win a copy of Penetration Testing Basics this week in the Security forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

EJBs and User Proxies

Joe Pluta
Ranch Hand
Posts: 1376
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello one and all!
Let me start off by declaring that I am not very versed in EJBs. I know the theory, but I haven't really put them into practice. I come from the midrange world (IBM iSeries) where most of our I/O is native DB2 I/O, and EJBs are just finding their way into production.
Here's my issue. On the iSeries, we have the capability of logging database activity to a journal, which will include the current user. This is pretty crucial information for auditing purposes. With EJB, my understanding is that most implementations tend to use a connection pool, which means you don't really know what user your request will run under.
However, it is also my understanding that some vendors (Oracle, Sybase) allow for something called a "user proxy" where you can tell the driver which user to use when actually processing a statement; this user will override the user ID in the connection.
With all that lead-in, here's my question: is there anything in the J2EE standard when using container managed persistence that allows for the use of user proxies in EJB transactions? Something in the container that will take the user that ID and pass it down to the JDBC driver in some way to tell it to use this user, not the once the connection was made with?
I'd have to believe there are some serious security issues in place for this, so I'm wondering if anybody ever heard of such a thing. The only reason I'm asking is that I was told this was a part of "standard J2EE when using the right database, such as Oracle".
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic