Secure Coding mailing list archives
Re: Credentials for Application use
From: Michael Silk <michaelslists () gmail com>
Date: Thu, 12 May 2005 19:17:15 +0100
If you are just talking about a password to access a db, the 'typical' approach (at least the approach I use) is just to store that password in the code/config file. You may like to add a layer to that by encrypting it in some config file, and requiring a 'decryption' (initialisation) of the 'server' to take place, where the key is entered and the db password is kept in 'application' memory until the next reset, etc. But, if you want to use the db resource manage permissions for various users AS WELL as your app logic (i.e. some redundant security system; [which is good]) then you'll need to create sql/whatever accounts for each user, obviously. Depends what you want, I guess. I think the answer to your question is that the password is stored in a config file. -- Michael On 5/12/05, Mikey <[EMAIL PROTECTED]> wrote:
Chris, Your situation is a little unique in that you encrypt the data with the password. The data backend I was referring to is simply a backend database like an SQL Server, Oracle 8i or DB2 data repository. All users need to do to get access to it is to authenticate to it and then have the right access controls to its tables/rows. SSO may solve my problem but the problem I have right now is that SSO is not here for us yet. What I like to understand is from people with experience in this stuff who have not implemented enterprise SSO solutions so that I can get that light bulb above my head to work. :-) Thanks. At 11:00 AM 11/05/2005 -0500, Gizmo wrote:Maybe I don't fully understand the concept of Single Sign-On. As I understand it, SSO allows a user to login to an application portal, and all of the applications that user accesses via that portal know who the user is and what rights they have within their respective application realms. As such, it is a front-end technology; the back-end applications don't know anything about this. Since my application is a server in a client-server architecture, it is a back-end app. In any case, SSO wouldn't help the situation where the data are encrypted by the password, if the data are accessed by more than one user. The idea behind this implementation is to ensure that even if a bad guy gains access to the server and the data files of the DB, he still can't get at the actual data without the key. Or am I missing something? Later, Chris
Current thread:
- RE: Credentials for Application use, (continued)
- RE: Credentials for Application use Gunnar Peterson (May 11)
- RE: Credentials for Application use Gizmo (May 11)
- RE: Credentials for Application use Mikey (May 12)
- RE: Credentials for Application use Gunnar Peterson (May 11)
- RE: Credentials for Application use Goertzel Karen (May 11)
- RE: Credentials for Application use Gizmo (May 11)
- RE: Credentials for Application use ljknews (May 11)
- Re: Credentials for Application use Dave Aronson (May 12)
- RE: Credentials for Application use Gizmo (May 12)
- Re: Credentials for Application use Dave Aronson (May 13)
- RE: Credentials for Application use Gizmo (May 11)
- RE: Credentials for Application use Mikey (May 12)
- Re: Credentials for Application use Michael Silk (May 12)
- RE: Credentials for Application use ljknews (May 12)