jtds MSSQL single sign on

Post any questions you have about using the Verj.io Studio, including client and server-side programming with Javascript or FPL, and integration with databases, web services etc.

Moderators: Jon, Steve, Ian, Dave

Post Reply
Steve James
Ebase User
Posts: 331
Joined: Mon Mar 10, 2014 8:34 am

jtds MSSQL single sign on

#1

Postby Steve James » Thu Sep 22, 2016 8:12 am

Hi, we are creating a data hub using Ebase and this will deliver some sensitive data.

Our security and db team would be much happier if we could do some of the security on the database side. As a result I am investigating connecting to MS SQL using Windows Authentication.

I've set Ebase to run under IIS so this is now working as expected.
I've read that jtds allows SSO. It kind of works in that the connection is made from the application rather than the client.

Am I barking up the wrong tree or should I be able to get a database connection made by the client?

Thanks
0 x
Jon
Moderator
Moderator
Posts: 1342
Joined: Wed Sep 12, 2007 12:49 pm

#2

Postby Jon » Thu Sep 22, 2016 9:27 am

I think you may be swimming against the tide in trying to do this. Tomcat, and all application servers, use connection pools where the connections are kept open and shared between any number of users. But security is specified when the connection is established, so you would be unable to use connection pooling which is a performance hit. Also you would lose the automatic commit and rollback of database updates which depends on connection pooling. Having said that, this part is at least technically possible as Ebase does support the use of non-pooled connections - but we advise against using them for the above reasons.

Another issue is how to get the user credentials: you already have the username but Ebase never sees the password, which is as it should be. So it is unable to transfer the user's credentials onto a database connection. There may be some other way of transferring the user credentials to SQL Server (NTLM?) and it might be worth investigating this.

I came across this discussion on stack overflow: http://stackoverflow.com/questions/2895 ... redentials.

The alternative is to do any authorization checks in your Ebase data hub. If you have the username, you can easily extract information about the user from AD - typically groups, and then check against this. But I can see why you might not want to go down this route - as it leads to duplication of security controls.
0 x
Steve James
Ebase User
Posts: 331
Joined: Mon Mar 10, 2014 8:34 am

#3

Postby Steve James » Thu Sep 22, 2016 11:02 am

Thanks Jon.

I'm happy configuring the security of the data hub in the application (ie Ebase). I just need to prove that it is either impossible or not efficient to have pass through db connections.

There's no issue regarding updates and commits as these specific connections will be for select only. I believe the volume traffic will use connection pooling for but the real sensitive data is small volume and low number of users.

I've just had a conversation with our security man and he's coming round to the idea that actually using different security mechanism between client / app server / db server will improve the security.

I'll still try to see if I can do something with the authorisation header or something else.

Thanks as ever for your help.
Steve
0 x
Post Reply

Return to “Application Development”

Who is online

Users browsing this forum: No registered users and 20 guests