#73 Incorrect user/password used from resource

open
nobody
None
7
2014-08-27
2009-06-03
No

In this setup, two resources are defined within the <Context/> element of a TomCat 6 server.xml file, as shown below:

<Context path="/myapp">

<Resource
name="jdbc/MyDB_userA"
auth="Container"
factory="org.apache.naming.factory.BeanFactory"
type="com.mchange.v2.c3p0.ComboPooledDataSource"
jdbcUrl="jdbc:mysql://127.0.0.1/mydb?autoReconnect=true"
user="userA"
password="userAPassword"
driverClass="com.mysql.jdbc.Driver"
minPoolSize="5"
maxPoolSize="100"
acquireIncrement="5"/>

<Resource
name="jdbc/MyDB_userB"
auth="Container"
factory="org.apache.naming.factory.BeanFactory"
type="com.mchange.v2.c3p0.ComboPooledDataSource"
jdbcUrl="jdbc:mysql://127.0.0.1/mydb?autoReconnect=true"
user="userB"
password="userBPassword
driverClass="com.mysql.jdbc.Driver"
minPoolSize="5"
maxPoolSize="100"
acquireIncrement="5"/>

</Context>

The servlet's web.xml file defines the following two resources:

<resource-ref>
<description>DB Connection</description>
<res-ref-name>jdbc/MyDb_userA</res-ref-name>
<res-type>com.mchange.v2.c3p0.ComboPooledDataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>

<resource-ref>
<description>DB Connection</description>
<res-ref-name>jdbc/MyDb_userB</res-ref-name>
<res-type>com.mchange.v2.c3p0.ComboPooledDataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>

The Java source code gets a connection from either of the two pools by setting dbUserName to either "userA" or "userB":

// Get data source
InitialContext initialContext = new InitialContext();
jdbcContext = (Context) initialContext.lookup("java:comp/env/jdbc");
dataSource = (ComboPooledDataSource) jdbcContext.lookup("MyDB_" + dbUserName);

// Get connection
Connection con = dataSource.getConnection();

However, regardless of the value of dbUserName, the connetion is always established using userA’s credentials.

A work-around is to manually specify the user name and password in code, such as:

if (dbUserName.equals("userA")) con = dataSource.getConnection("userA", "userAPassword");
else con = dataSource.getConnection("userB", "userBPassword");

Discussion

  • Cristian Almstrand

    • priority: 5 --> 7
     
  • Cristian Almstrand

    Increasing priority to 7 due to the potential of this bug having serious security consequences.

     

Log in to post a comment.