Re: Connection Pooling with the .NET Provider on IIS
- From: mc <mc@xxxxxxxxxxxxxxxx>
- Date: Wed, 17 Jun 2009 13:09:14 +0100
grendal wrote:
On Jun 15, 6:16 pm, Fernando Nunes <domusonl...@xxxxxxxxx> wrote:Ian Michael Gumby wrote:With respect to Fernando's earlier post, you have to think about theI'd like a more elaborate response if you can. As I said, it's doable by other
security risks if you can change your connection details within the
pool. Not a good idea.
RDBMS. If you can authenticate securely you can of course change credentials in
a secure manner... You may not want to do that for simplicity and performance
but I can't think of any additional security issues... It's not like you simply
say "authenticate me as john_doe/password" and then simply "now I'm informix,
thank you!"
Again, which *other* databases?
Unlike DB2 and IDS, do the other databases authenticate against the
OS?
From what I've seen, both Oracle and MS Sql Server Authenticate the user based on well established Kerberos/NTLM Authentication methods.
Neither of the above would ever allow a connection to be re-used by any other user than the originator.
I care little if it is actually changing the authentication on the fly or if the connection pool is authentication aware and blocks the connection re-use. the point is that when developing a secure system you would never want your credentials to be reused and therefore written into DB logs by anyone other than yourself.
Although usually J2EE applications just use a connection pool with a singleend to end identity propogation?
user, some customers would like to be able to do end-to-end identity
propagation. Specially if you're modernizing your application by introducing
web services for example and you have old logging mechanisms on the database
side based on the user ID. This is s situation customers may face if they try
to use the new web services capabilities of newer versions of 4GL.
The concept of end-to-end propagation of identity is fundamental in developing a secure and robust system.
I have full traceability from when the user first "Hits" the web page, into web service calls on remote systems which connect into databases. Every system's audit logs reference the user that completed the action not some system account that makes tracing individuals actions very difficult.
You have that with connection pooling if you design your app
appropriately and track your user via a session id/token.
Why should I design anything into my App With other RDBMS's I relly on the infrastructure to provide this. It saves me time and leaves Identity management up to the specialists. If you rely on application level "Session Id" or "Tokens" you open yourself up to assorts of attack vectors.
You really need to think about what you're saying.
You really need to start thinking about security!
.
- References:
- Connection Pooling with the .NET Provider on IIS
- From: mc
- Re: Connection Pooling with the .NET Provider on IIS
- From: Fernando Nunes
- Re: Connection Pooling with the .NET Provider on IIS
- From: mc
- Re: Connection Pooling with the .NET Provider on IIS
- From: Fernando Nunes
- Re: Connection Pooling with the .NET Provider on IIS
- From: mc
- Re: Connection Pooling with the .NET Provider on IIS
- From: Fernando Nunes
- Re: Connection Pooling with the .NET Provider on IIS
- From: grendal
- Connection Pooling with the .NET Provider on IIS
- Prev by Date: Re: Large Table Deletes
- Next by Date: Re: how to store a file in databes
- Previous by thread: Re: Connection Pooling with the .NET Provider on IIS
- Next by thread: Re: Connection Pooling with the .NET Provider on IIS
- Index(es):
Relevant Pages
|
Loading
