Details
-
Task
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
-
None
-
None
Description
Historically in application servers and TP monitors all the application servers connect using a data source with the user name and password defined in the data source. thus all transactions are carried out by a single user regardless of the actual user logged in to the application server.
I want to connect from either or both of Tomcat and JBOSS to mariadb passing the credentials of the user to mariadb so that the connection then takes on all the rights and privileges of the connected user, but I cannot see how to do this.
Historically when building an application using WebSphere and DB2 I can define a data source in websphere that is what is called a trusted connection. When WebSphere connects to DB2 it uses the trusted connection and DB2 automatically switches to the named user.
We have configured tomcat to use an LDAP server, we have configured Mariadb and pam to use the same common LDAP server but we have got stuck at the last leg as we cannot see any way to define a data source that will allow the credentials to be passed.
We can see the AlternateUsernameAllowed but we think that only applies to a getConnection(username,password) where you know the user password, which of course we dont because that is locked in the ldap server.
would it be possible to have a facility in mariadb where an appropriately priviliged user can have a command such as
CHANGE USER 'username';
The ideal scenario would be if there could be a transparent handshake within tomcat and mariadb so that when using an appropriate datasource the connection was automatically changed to the tomcat user.
As an alternative, we know the current user who has logged into tomcat and we can pass this to the servlet which could then change the user to the tomcat logged in user. However this relies on user coding so could be subverted with a rogue servlet or an applicatoin bug.