Win a copy of Java 9 Revealed this week in the Features new in Java 9 forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Access to my User Database via web address  RSS feed

 
Jimmy Bua
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I'm a Tomcat noob and I am using Tomcat7 along with Java spring framework for my login project. I have a SQLite database attached to it that gets called when the user tries to log on. This all works great! The problem I have is that it's very easy to log into the web login page through a browser. By simply going http://[my ip]/myProject/ then entering their username and password they have full access to the database and can edit and delete users all they want. Is there anyway to limit this? They can see all of the usernames and passwords.. Is there a way to lock access down to my user database?



Thanks

 
Tim Holloway
Bartender
Posts: 18548
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tomcat. like almost all multi-user systems has the greatest common denominator of all of the access rights of all users. Which, incidentally, is a good reason to put critical administrative functions in a separate webapp with more limited user access.

You should definitely not allow users direct access to database tables in any webapp*, that's a major security problem. So data access limits would normally be enforced by the business functions that do the actual invocation of the database, and those business functions would normally be accessed by specific business-oriented URLs that you could restrict using the stock J2EE Container Management security.

Incidentally, SQLite is not a good database for webapps. Unless I'm mistaken, it has no transaction capabilities and therefore can be easily corrupted. Use something like MySQL instead.

=====
*Well, actually, I wrote a raw database editing app that does do that, but it's expressly supposed to allow doing horrible things to tables and I don't allow just anyone to use it!
 
Jimmy Bua
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Tim for your reply! Do you suggest that I 'can' Tomcat all together? Or do you suggest that I incorporate MYSQL instead of SQLite?
 
Paul Clapham
Sheriff
Posts: 22200
38
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If I might interpret Tim's answer: I believe he meant you should run your database table in a separate web app in Tomcat, so that you aren't giving access to the database table part of the app to all users. That's for the security issue you asked about.

And he did suggest you should switch to something other than SQLite, but not because of your security issue.
 
Tim Holloway
Bartender
Posts: 18548
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yep. Tomcat doesn't incorporate the advanced functions of the J2EE/SEE spec such as EJBs, but it does support the full J2EE security specs for the functions it provides, so there's no need to switch from Tomcat.

However, as I said SQLite isn't designed for many simultaneous users any more than Microsoft Access is. For a web application, you need a transactional database - MySQL, PostgreSQL, Oracle, DB2, SQL Server or something like that. Doesn't matter which one - any DBMS that has JDBC drivers is good, as long as it supports transactions.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!