Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse Scout » User credential and verification(Verify the credential of the user using the database (PostgreSQL) registered role name)
User credential and verification [message #1794253] Tue, 28 August 2018 06:01 Go to next message
Mark Novem Grisola is currently offline Mark Novem GrisolaFriend
Messages: 27
Registered: November 2017
Junior Member
Hi all, good day.
I had a simple running system using Eclipse Scout - Photon, the system verify the user's credential by accessing the database and get the user's password from the specific table base on the provided username. I am using the database admin credentials to access (login) to the database, here's the problem: I want to use the user's credential to access to the database, or should i say i want to use the user's credential to create connection to the database. So that, in this way i can create two layers of security by (i) the user credential must be registered or belong to a certain role of database and that role is allowed to login to the database, (ii) when that credential passes the first layer then (ii) the credential will be verified again (second layer of security) using the specific table (user's credential table) of the database. In these way, i can increase security measures. By the way, i am using PostgreSQL.
I would be much happy and glad if you guys can give me a hand on how to do it.

Thank you so much in advance.
Re: User credential and verification [message #1794656 is a reply to message #1794253] Tue, 04 September 2018 14:34 Go to previous messageGo to next message
Matthias Villiger is currently offline Matthias VilligerFriend
Messages: 232
Registered: September 2011
Senior Member
Hi Mark

If I understand your scenario right, this means that for the first security layer (to check if the user is registered and belongs to a certain role in the database) you already need to connect to the database, right?
This means on the other hand that you must connect to the database with any untrusted and unverified credentials to check if the user exists and has that particular role. I am right or did I misunderstand your scenario?
Anyway I would not recommend to configure a database to accept connections for all credentials.

Please feel free to correct me if I misunderstood your scenario or question.

Kind regards
Mat
Re: User credential and verification [message #1797009 is a reply to message #1794656] Wed, 24 October 2018 05:46 Go to previous messageGo to next message
Mark Novem Grisola is currently offline Mark Novem GrisolaFriend
Messages: 27
Registered: November 2017
Junior Member
Hello Sir,

Exactly, but right now we already decided to reduce our security layers into one (1) only to speed-up our design and development. Thanks for the recommendation sir, we'll consider it and re-evaluate our security designs. Sir, what's the best way or method you may recommend to us if we want to use the user's credentials (username & password) to connect to the database? It's really a big help to us if you can give us a hand sir Mat or direct us to a link(site) which addressed our related concerns.

We thank you for your time and effort to facilitate our concerns..

Best regard,

Mark
Re: User credential and verification [message #1797100 is a reply to message #1797009] Thu, 25 October 2018 08:45 Go to previous message
Matthias Villiger is currently offline Matthias VilligerFriend
Messages: 232
Registered: September 2011
Senior Member
Hi Mark

You can just call me Mat. No need for the sir ;-)

I have no experience in a setup that connects to the database with the real user credentials. Scout is also not prepared for this setup out of the box.

I think it is feasible to create an application with that setup but there might be some pitfalls on the way:
1. Scout does not have the password of the user available on the backend by default. You would need to send it to the backend (encrypted, e.g. https) and maybe store there in the session. Currently the Scout Service Tunnel cannot do that.
2. The Scout Connection Pool for leasing JDBC Connections to the database can probably not be used.

Hope this helps you in your concerns.

Kind regards
Mat
Previous Topic:Exception Permission denied
Next Topic:Hierarchical Table
Goto Forum:
  


Current Time: Fri Mar 29 08:18:35 GMT 2024

Powered by FUDForum. Page generated in 0.01869 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top