Secure Programming
Credentials for Application use May 10 2005 09:05AM
Mikey (mike_chan_ hotmail com) (1 replies)
This is a broad question around the current practices and recommendation of
what not to do when it comes to credentials used by applications to gain
access to a resource or data stored elsewhere.

As an example, I have some middleware components that need to gain access
to a data repository that contains sensitive information. The middleware
components and data repository reside in separate, distinct security
boundaries protected by differing authentication and access control mechanisms.

Application developers insists the only way to gain access to the data
repository is to create a set of credentials for the repository that only
they can use. But because the middleware components are using it, there is
no requirement for a user to enter those credentials in order to
authenticate usage. I guess I wouldn't want the users to know the details
of this set of credentials either.

Short of creating a user credential for each user accessing the application
on the data repository side, they insist that they need to store the userid
and password in a static format somewhere on the middleware server. For
example, a configuration file or some part of the operating system.

Is there a best practice guideline for this scenario? What have other
people in the same situation been doing here?

[ reply ]
Re: Credentials for Application use May 18 2005 03:11PM
Alexander Klimov (alserkli inbox ru)


Privacy Statement
Copyright 2010, SecurityFocus