Database access security
WebSphere Application Server uses a number of database tables to persist user data. The authority in use for a specific database connection determines access to database tables.
You can choose from the following options to protect access to these tables:
- Change the user profile that WebSphere Application Server uses to access a resource to one that already has authority to the tables.
- Add authority for accessing the tables to the user profile that WebSphere Application Server uses.
- Use a combination of both methods.
In the following cases, consider changing the user profile that WebSphere Application Server uses to access the data:
- The table was created prior to the installation of WebSphere Application Server.
- Programs other than WebSphere Application Server access the tables.
For tables that are created by WebSphere Application Server and used only within the WebSphere environment, the default profiles are most likely suitable.
The following table summarizes security information for the different user database tables in the WebSphere environment:
Type of data Created by iSeries library User profile Servlet session data WebSphere Application Server By default, QEJBAS5SN. Specify a different library by editing the Session Manager persistence properties.
By default, the user profile under which the application server runs. Specify a different user profile by editing the Session Manager persistence properties.
Entity enterprise beans that use container managed persistence (CMP) WebSphere Application Server or already existing User defined By default, the user profile under which the application server runs. Specify a different user profile by changing the DataSource for an enterprise bean.
User-written database access in servlets, session beans, and entity beans with bean managed persistence (BMP). (Using connection pooling or not.)
WebSphere Application Server, user code, or already existing User defined By default, the user profile under which the application server runs. Specify a different user profile by modifying the user code to explicitly use a user ID and password on the database connection.
Here are some terms from the table:
Application server
The application server runs under the user ID that is specified in the USER ID property for the application server. Any database tables that are accessed should allow access to the specified user ID. By default the application server runs under the QEJBSVR user profile, so the database tables that are used must allow access to the QEJBSVR user profile.EJB container
You can specify a DataSource on the EJB container. The User ID and Password properties for the EJB container DataSource control which user ID is used to access the tables that are defined by the DataSource. The User ID and Password that is specified for the EJB container DataSource takes precedence over the user ID under which the application server is running. If no User ID or Password is specified for the EJB container DataSource properties, the user ID under which the application server is running is used.Enterprise bean
You can specify a DataSource on the enterprise bean. The User ID and Password properties of the enterprise bean DataSource control which user ID is used to access the tables that are defined by the DataSource. The User ID and Password that is specified for the enterprise bean DataSource takes precedence over the User ID under which the application server is running and the DataSource that is specified for the EJB container. If a DataSource is specified for the enterprise bean but no User ID or Password is specified for the enterprise bean DataSource properties, the user ID under which the application server is running is used independently of whether a DataSource was specified for the EJB container or not.