In Symfony 2.0, I need to change the DB for a particular user until he logs out, but the code is same.
Is that possible?
It's possible, but should not be done the way you described it.
You'll always need connection that will not change: the database that will handle authentication.
Then for each user, you might have a specific database. After login, you should have the account details (database details) you need to connect to the user's database.
Once you have it, use one of the methods described in
Take a look: Symfony 2 : multiple and dynamic database connection
It should be pretty straightforward.
PS: Instead of a permanent connection, you could also have the users authenticated by another server in an SSO (single sign on) environment - that's advanced topic. The connection details of the user's database should then come from that server.
Check out Symfony2, Dynamic DB Connection/Early override of Doctrine Service
It's a slight duplication of the other one, but was specific to using request params, and the answer provides more details in it's wiring of services. Not sure if it's helpful over the other answer, but check it out anyway.
Related
My application is deployed in IIS which has plugins to connect to websphere where my application servers are spinned up. Websphere connects to LDAP for user auth. I have a requirement to have ONLY one user session allowed through websphere. If same user identity tries to login again on the same or other device or anywhere there should be some setting / configuration in websphere should prohibit user to make second session. Any direction on this matter will be helpful.
If you are using standard WAS security with form based login, you could take a look into this Redbook WebSphere Application Server V7.0 Security Guide. In the chapter "8.8 Customizing the login process" it shows filter that you could use for customizing login process. More detailed approach is also shown here https://www.ibm.com/docs/en/was-nd/8.5.5?topic=login-developing-servlet-filters-form-processing
In very high level:
you need db with table where you keep your current logins and login times (to provide some timeouting in case one doesnt log off properly)
in filter you check if given user has active concurrent login and return error page instead or pass through to the app.
This is very high level and you need to design it correctly to not lock out your users. E.g. user accidentally closing his browser would result with having to wait for the timeout before being able to log in again.
Another approach could be to logout any existing sessions, and log in just new user, but that approach requires you to have distributed session invalidation, which is also not an easy design.
So in short, I'd think twice if it is really required feature before implementing it, as it adds a lot of complexity to your applicaion ;-)
I have my website in PHP and DB in MySQL. I want salesforce users to search on my database from within their salesforce. For that, heroku connect seems to be the option. So i am thinking of converting my MySQL DB to PostGre and then use heroku connect to share my data with my salesforce account. The question i have is, how can i share same data with other salesforce users ? Those users are my website clients and i don't want them to go through this process of heroku connect. Is there was of sharing my data with other salesforce users ?
You cannot and should not expose your database directly to your customers. That would allow them to change the data as well as read it.
Your solution here is to create a public API which exposes endpoints that will make it possible for anyone (with proper authentication hopefully) to query your data.
There are many ways you can design an API, whether it's a REST or a GraphQL one. This is something which can absolutely be done in PHP though.
I need quick help regarding Identity server.
There is a client requirement to not allow any public hosted application to directly talk to the database. In Identity server's case, the Identity server will be hosted publicly for token endpoint, and it queries the database for operational data (went for Db approach with reference tokens because IDsrv will be on NLB). Is there any workaround for this? or is this standard practice?
Thanks
If you don't want IdentityServer to talk directly to the database, you will need to implement & register custom implementations of ICorsPolicyService, IAuthorizationCodeStore, IClientStore, IConsentStore, IRefreshTokenStore, IScopeStore, and ITokenHandleStore, that call off to some an external app that can talk to the database.
Normal operating procedure is to have IdentityServer talk directly to the database. I don't see much merit in separating the two.
FYI: You don't need to use reference tokens if you are using load balancing. Check out the deployment docs.
We are upgrading a single-tenant application to a multi-tenant (separate DB for each client) SaaS application. My responsibility is to design the tenant provisioning part. I am thinking of the following steps.
While our admin will install our software, one DB should always be get created.Argument for this step is that Admin will install the software only when at least a tenant comes up. So, creation of a single db as part of installation of our software should make sense.
The common meta data will be stored in a common place. We are thinking of using ZooKeepar to store the common meta data.
Each tenant will be given a subdomain. For example www..samplaTenent.com . This tenant_id will be extracted from the URL in each request and will be used to identify the particular tenant and respective DB.
If more tenants need to be provisioned, the admin will create a new DB instance through user interface.
Technology used:
Java 6
Struts Framework
MS SQL
Now, I would like to get expert opinion about the proposed solutions. Is there any other way by which we can build a robust, secure and scale-able SaaS application?
Thanks.
IMHO, I would suggest that you should have a sibgle code base that can handle the multi-tenancy aspects be it configuration of db, settings per tenant etc.. I am not aware of the code base that you have now. Hence, you can make the provisioning part as follows,
You provision a new tenant by getting all the prerequisite info. You can generate the URL for this tenant automatically or allow the tenant to choose one in the latter a validation has to be made for the URL and the tenant combination.
On this step completion, you can have some scripts at the server that clones a master code base and rolls out a new tenant specific db. So things are automated.
The next step will be to store the tenant db and the app details in your common or shared db so that when a tenant logs in, you can redirect him to his URL. The db details will be required if you want to handle all of the tenant and his user authentication from the main app.
The main perceived advantage of having a single code base is that the customization and configuration can be in one place with ease of code maintenance and bug fixing or enhancing. Though this may not work for all scenarios, this is what I feel more suitable option on the long run.
Please share your thoughts or post additional queries that you may have on multi-tenancy.
I'd like to authorize the user/application combination, not only the user.
The scenario is that we've built an app that guides the user to safe updates of some data.
If the same user installs PL/SQL Dev, Toad, or any other Oracle management tool, she can edit the data in ways that the app prohibits.
Vincent's answer is good (and he also makes a good point in his comment about spoofing the executable).
For a more programmatic method (no mid tier), see my answer to a similar question. It basically involves coding an ALTER SESSION into your application that enables a role.
You can use a proxy user to restrict access to the database. Your users would only be able to connect (authentication) and activate a role (authorization) through the middle-tier account. They would not need to know their DB password. They can be authenticated externally (with AD for example).
See this thread on AskTom and the documentation for further reading.
The v$session view contains a column 'program'. This contains the name of the connected application. You may be able to use this information.
To determine the sessions ID use this:
select
sys_context('USERENV','SID')
from dual;