I have written a web app using Java EE for altering the contents of a table. For user authentication I am using the database credentials of the user. I am creating the JDBC connection using these credentials.
The problem arose when two or more user simultaneously logged in and the Connection object got updated with the credentials of the latest user. So no matter which user made the changes, the username of the latest user gt logged in the log file, which is a massive security issue.
So how can I create multiple Connection objects for multiple users so that the only username of the user who is making the modification gets in the log.
This sounds as if you were storing a reference to your connection objects in a static variable, keeping just a single connection object in your web application. Instead of that, you can make use of HttpSession to store a user-specific connection object in user’s session as an attribute. Store the connection there at the first time user accesses the application, then, at each subsequent request, get the connection back, check if it is still valid and use it.
Also do not forget to close the connection once the session timeouts. This can be achieved by implementing a HttpSessionListener that checks for any connections in session and closing it in
sessionDestroyed()method.EDIT: For multiple reasons, it is usually not a good design to use DB credentials to let users log on to an application. However, with low number of sessions (and thus low number of connections simultaneously opened on the DB) and with DB rights reasonably set, this still might work well.
EDIT 2: And of course, access to such a cached connection needs to be synchronized (say, in case a user tries to hit your app with multiple simultaneous requests, e.g. by having multiple browser windows open). This might be a (little) tricky.