Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is there any way to define a true read-only datasource using JBoss and Oracle?
I’d like to stick to the single default schema user but limit certain parts of the application to read-only to avoid SQL injection issues at all. If there is no such way in JBoss I’ll have to create another user with limited privileges in Oracle.
Whether or not you can do it in JBoss you should create the second user anyway.
Database permissions should be set in the database layer; don’t try to apply them in code. The database has been designed to ensure that it is impossible to write to a table that you don’t have the permissions to write to. If you implement this in the application it only takes a small change, or a small bug, to break this restriction.
If you don’t want to reference a table in another schema you can always create a synonym in your own that points to it.
There’s a related programmers question that you may find interesting. Simply put “Never do in code what you can get the SQL server to do well for you”. This specific scenario isn’t mentioned but I think it applies.