Re: How have others handled management concerns over storing databaseuserid and password in struts-config.xml?

[Ted Husted <hu...@apache.org>]

Shamdasani Nimmi-ANS004 wrote:
>Each application user, i.e., a supplier has only access to a subset of the database depending on what he/she is allowed to see but the database account(the account which is used by the application to get the connection pool) has access to the complete database. This database account information(user, password, etc.) is stored in struts-config.xml. This database account information is what the management is worried about.

Here I meant that the general Web user should not be allowed to do
things like drop tables ;-)


> So are you saying that the database server should only accept access by database account from the Webserver IP only. I am not much familiar with the setting up of the servers but could a database server be made to allow access on a database account only at a particular IP?

Typically.


> do you mean that the database account be the only one to be able to read the folder or that the application users be the only ones allowed to read?

Neither. I meant the account that is running the Web server, and needs
to read the file. The config file is actually accessed by the account
that the server is running under.


-- Ted Husted, Husted dot Com, Fairport NY USA.
-- Custom Software ~ Technical Services.
-- Tel +1 716 737-3463
-- http://www.husted.com/about/struts/