[wsf-c-dev] Embedding AXIS2/C into mysql (new topic)
James Clark
james at wso2.com
Wed Feb 21 02:33:07 PST 2007
On Wed, 2007-02-21 at 15:33 +0600, Chamil Thanthrimudalige wrote:
> On Feb 21, 2007, at 12:27 PM, James Clark wrote:
>
> > I forgot to mention another major thing that needs dealing with:
> >
> > - access control
>
> We are using the WSAS built in service access control when using this.
How are the credentials that WSAS uses to access the database related to
the credentials that the user supplies to access WSAS?
The easiest thing to implement is to use a single, fixed username to
access the database regardless of how the user authenticated to WSAS.
But that isn't a good solution, because it bypasses the per-user access
controls in the database.
A better solution is for the user to put a UsernameToken in the message,
which WSAS then uses to connect to the database. To make this a bit
more secure, the user could also add a X509 certificate to the message
and sign the UsernameToken with that certificate, and then encrypt that
with WSAS server's certificate.
With PostgreSQL an alternative would be to connect to the database as a
single fixed role, and the SET ROLE to change to the user's role (a bit
like setuid). Unfortunately, as far as I can tell, MySQL lacks this
functionality.
James
More information about the Wsf-c-dev
mailing list