views:

237

answers:

1

In short, how can I restrict access to connection pool X based on application name or JAR name? A simple use case might help...

A business web-app (call it WEB_APP_A) uses pool Y to do basic look-up SQL. Some users of this web-app have access to also update some sensitive data in the database. This code is provided by a JAR file (call it HR_JAR) that can be dropped in where needed. This JAR uses pool X for all of it's connections.

We don't want developers of WEB_APP_A using pool X. We only want HR_JAR using pool X. This is to keep devs of WEB_APP_A from accidentally or intentionally abusing the access pool X provides.

Some considerations:

  1. This is legacy code so HR_JAR is here to stay
  2. We are running on Weblogic 9.2
  3. We can not keep passwords in any from in the source code
  4. We have researched weblogic user level authn/authz for JDBC resources but then this begs the question; how do we secure the user creds we use to become a user per app/jar?

Ideas? Thoughts? I can elaborate more on what I have tried, but I wanted fresh ideas.

A: 

Haven't ever tried this and don't have access to an instance to play right now, but in your JDBC config you could try adding a <scope> element for the application against pool X, inside the <jdbc-data-source-params> I think... Though that assumes you have a separate application defined for HR.jar, which I'm not sure is the case from your description. I don't know if you can restrict an individual JAR within an application though.

Alex Poole
HR JAR is shipped with WEB_APP_A. In JBoss the answer seems trivial (see http://www.jboss.org/file-access/default/members/jbossweb/freezone/docs/latest/security-manager-howto.html section "JBoss Web Custom Permissions"). I can't seem to find the equivalent in Weblogic.
Andrew White
@Andrew I'm not sure to understand how this JBoss stuff would solve your problem.
Pascal Thivent
Well, in JBoss I could do the following, right?grant codeBase "jar:file:${catalina.home}/webapps/WEB_APP_A/WEB-INF/lib/HR.jar!/-" { org.apache.naming.JndiPermission "jndi://localhost/poolX; };
Andrew White
@Andrew Ah yes indeed. After a second read, it appears that you're right.
Pascal Thivent