A trusted context is an object that the database administrator defines that contains
a system authorization ID and a set of trust attributes. Currently, for DB2 database
servers, a database connection is the only type of context that is supported. The
trust attributes identify a set of characteristics of a connection that are required for
the connection to be considered a trusted connection. The relationship between a
database connection and a trusted context is established when the connection to
the database server is first created, and that relationship remains for the life of the
database connection.
After a trusted context is defined, and an initial trusted connection to the DB2
database server is made, the middleware server can use that database connection
under a different user without reauthenticating the new user at the database
server.
To avoid vulnerability to security breaches, an application server that uses these
trusted methods should not use untrusted connection methods.
The DB2ConnectionPoolDataSource class provides several versions of the
getDB2TrustedPooledConnection method, and the DB2XADataSource class provides
several versions of the getDB2TrustedXAConnection method, which allow an
application server to establish the initial trusted connection. You choose a method
based on the types of connection properties that you pass and whether you use
Kerberos security. When an application server calls one of these methods, the IBM
Data Server Driver for JDBC and SQLJ returns an Object[] array with two
elements:
v The first element contains a connection instance for the initial connection.
v The second element contains a unique cookie for the connection instance. The
cookie is generated by the JDBC driver and is used for authentication during
subsequent connection reuse.
The DB2PooledConnection class provides several versions of the getDB2Connection
method, and the DB2Connection class provides several versions of the
reuseDB2Connection method, which allow an application server to reuse an existing
trusted connection on behalf of a new user. The application server uses the method
to pass the following items to the new user:
v The cookie from the initial connection
v New connection properties for the reused connection
The JDBC driver checks that the supplied cookie matches the cookie of the
underlying trusted physical connection, to ensure that the connection request
originates from the application server that established the trusted physical
connection. If the cookies match, the connection becomes available for immediate
use by this new user, with the new properties.
Example: Obtain the initial trusted connection:
// Create a DB2ConnectionPoolDataSource instance
com.ibm.db2.jcc.DB2ConnectionPoolDataSource dataSource =
new com.ibm.db2.jcc.DB2ConnectionPoolDataSource();
// Set properties for this instance
dataSource.setDatabaseName ("STLEC1");
dataSource.setServerName ("v7ec167.svl.ibm.com");
dataSource.setDriverType (4);
dataSource.setPortNumber(446);
java.util.Properties properties = new java.util.Properties();
// Set other properties using
// properties.put("property", "value");
// Supply the user ID and password for the connection
Chapter 10. Security under the IBM Data Server Driver for JDBC and SQLJ 457
To Next Page
Loading...
Need help?
General