Re: General Security-Question

elwood@agouros.de (Konstantinos Agouros) writes:

> I am currently developing a software that should replace our hated
> excel-timesheets. My problem is the following: I have an
> javaapplet for dataentry that connects to the database via
> jdbc. There is a table that holds the data (who worked what
> when). So far so good, but: Since I must grant update/insert/delete
> access to this table to everybody that can use this application, how
> can I stop people from updating the data of the others. The one
> thing that came to my mind was not creating database-users but
> instead use a static user, and let the application handle the logic
> who can access which lines in the database (its also a matter of
> dataprivacy, one should be allowed to watch one's own data but not
> of the others, the team-manager should see the data of the team
> etc). The read-access can be implemented using views but I don't
> see much other way for data-entry. Somebody has an idea?

Honestly, I think the best way to do this is to create a Java class
(or classes) that implements all your business logic on the server
side, then have the applet make RMI calls into that API.  You can pass
the applet a random cookie when it's created, and have the applet pass
that back as part of the RMI call, and then check in the server logic
to see whether the user is trying any funny stuff (like trying to see
or modify someone else's data).

Make sense?

-Doug
--
The rain man gave me two cures; he said jump right in,
The first was Texas medicine--the second was just railroad gin,
And like a fool I mixed them, and it strangled up my mind,
Now people just get uglier, and I got no sense of time...          --Dylan