March 31, 2004 at 2:17 pm
Our development group is writing a Java application that will be delivered on the Web using an Apache Web Server. They will access a SQL Server 2K database and my problem is security. My problem is security. If they use a connection string with a hardcoded user and password they what do we do with the connection string? If its hardcoded in the application then whenever we want to test or if I decide to move the database, the application needs to be recompiled (not a good idea) If the connection string is put in a file, then anyone can read the file (I suppose I could encrypt the file but that sounds like an invitation for someone to try and decrypt the file) Why not just use a connection string like:
Driver={SQL Server};Server=Aron1;Database=pubs;Trusted_Connection=yes;"
Now my problem. If I do this what login needs acces to the the SQL Server database? If this were IIS rather than APACHE I would just give access to iusr<servername> How does Apache work? I am not a UNIX groupie and when I read through the APACHE documention I see references to "auth_* modules" Whats that?
Bottom line can someone explain simply what id will be used to connect to SQL Server given the connection string above?
- an Apache neophyte
Francis
March 31, 2004 at 2:56 pm
Apache by itself won't be making the connection, just as IIS by itself doesn't (you're thinking about ASP most likely, which makes ADO calls, but does so in the context of the IUSR_* account by default).
You said they're using Java. Are they using applets or servlets (for instance, is it Apache + Tomcat or is it an applet that actually runs on the client). My guess in those cases is they would be using JDBC, so you might look there if that's the case. Can you confirm with your developers what they're going to use to connect into SQL Server?
K. Brian Kelley
@kbriankelley
March 31, 2004 at 3:18 pm
I guess I am thinking about ASP.
In this case they are using the MS JDBC driver. After I read your reply I looked up some info on JDBC and saw this "The Microsoft SQL Server 2000 driver for JDBC does not support connecting by using Windows NT authentication." Ok now I know. We must use sql server authentication or else get a new driver.
Thanks for the nudge in the right direction.
Francis
April 1, 2004 at 2:42 pm
Commonly, the way to do this is to put the connection string in a separate dbConnection class. If the connection string changes then only this class must be re-compiled, not the full application.
Signature is NULL
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply