You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@turbine.apache.org by subhash <su...@yahoo.com> on 2002/03/25 17:56:13 UTC
A suggestion for Torque Implementation from a security standpoint ..
I have a suggestion regarding Torque.java..
I agree with the fact that while a Generic getProperty(dbName,property) is
great for flexibility, but it is not so great from a security perspective..
But, from what I see this added flexibility cannot be used unless there is
some change made to the way Torque implements its DBFactory. Some thing like
a lookup for a DBFactory, and then passing the configuration onto the
DBFactory will be one such implementation..
But even in such a case, the flexibility is still there, it is just that a
user cannot get all the properties of a given Database, using Torque.java,
which I think is an OK compromise.
I will give a little bit more context:
What I would like to do is write my own Class that implements Stratum
Configuration interface, and secure it so that it obtains the database
password information from a different source than a property file..
So, when I am running my application, I dont want any other application to
do a getPropery on a database password.. (I know that it can be secured, by
java security policies, but I just thought that information like that should
never be returned).
The same goes for Torque.getConfiguration().
I would suggest a simple change, so that the getProperty becomes private,
and implement simple accessor's that return the information from the
getProperty() method.
I am planning on making these changes to Torque's source code, before we
deploy it to production, so I can publish the changes if you desire..
Thanks, -Subhash.
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>