• Post Reply Bookmark Topic Watch Topic
  • New Topic

Tomcat security  RSS feed

 
Dmitry Pen
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello.
I need to know, how can Tomcat restrict DB connections for classes. For example, I want my app could connect and read db, but had no permissions to write and delete entries. Is it catalina.policy file, or web.xml / server.xml files have to be changed? I know, Tomcat supports IP access, but there's no information about working with db. I guess, removing

entries from catalina.policy can restrict db access, but I need more flexible settings. Help please.
 
Tapas Chand
Ranch Hand
Posts: 614
9
BSD Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not sure about tomcat, but I have implemented this kind of thing in database itself.
There are 2 ways.
1. Create view of the specific tables. Thus user can only read from them, cannot modify or delete records.
2. Create another schema and give select permission to your specific schema. Create a connection from Java for that new schema. Thus user can only read data.

Depending on requirement one of the method can be implemented.
 
Tim Moores
Saloon Keeper
Posts: 3512
77
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This goes beyond what Tomcat can do. You'll need to implement it some other way, possibly along the lines of what Tapas suggests.
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, this does fall under Tomcat's remit. Well-designed webapps* in Tomcat acquire Connections from a Database Connection Pool which Tomcat constructs. The Connections are bound to a database (JDBC) driver. It would have to be the driver that enforced read-only behavior.

So, in short, if your database supports a JDBC connection URL whose properties include a read-only attribute, you can use that URL form when you define the Connection Pool and then it would be read-only.

I don't know offhand what, if any DBMS's support that feature, however. The more common approach is as Tapa suggests - create a DBMS userid that has only SELECT privileges for the database and define your Connection Pool using that userid.

===
*As opposed to webapps that use brute-force getConnection() calls directly to the DriverManager.
 
Dmitry Pen
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, I understand .policy file configures JVM granting objects permissions, and the primary idea of it is to restrict applications' access to webserver:  it's configuration files, file system, JVM properties, etc. In other words, there are "inside" restrictions. It's clear about the scopes of inside access. But what about "outside" access restrictions? I still can't find answer - which applet external activity restrictions do exist? If I'm not mistaked, the applet can connect to any DB (no guarantees it'll be successfull, but it can try), ''walk freely on web". SocketPermission is not suitable here, cause it doesn't provide any flexible settings, I can only choose between "restrict evrthg" and "allow evrthg".

Note: Here we're talking about the applet as about the blackbox, considering the situation I have no abilities to change it's code but need to control it's behavior by Tomcat capabilities. I think it's doable thing, but I haven't enough skills.
 
Dmitry Pen
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Holloway wrote:Actually, this does fall under Tomcat's remit. /.../

Thank you for your reply, it's quite close to information I wanted to know.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!