I'm building an HTTP application that allows a user to perform manipulations on data stored in remote data source (like, Teradata or Oracle DB). In details, user can provide a database name, and then application should check if the user have read access right to this database in the DBMS. Checking such knowledge from DBMS requires username and password. The application has an authentication, and asking user for repeated login is probably not wanted for UX. So how can this authorization can be performed? Apparently, a client session should be used, but how exactly?
So far I can think of two ways:
1) Saving user's credentials in session, so it can be used when needed to access DBMS - not sure how good it meets the requirements of security. Also I'm not fully sure on which side of application they should be stored - persisted/cached on server side or saved on client side and resent on every request to the server.
2) On authentication getting all accessible databases names from DBMS and saving them in session - probably much more secure, but seems to be dealing with possibly much more amount of information to save.
Aucun commentaire:
Enregistrer un commentaire