0

I have a application which require login,but the number of user who use the application is no more than 40. And In the application,I get some data from the sql server database where I juse have read permission,also I can not create a table in the db for user validate.

ALso I do not think it is a good idea to create a user table in other database on another machine.(for example,I can create a user table in the mysql another machine,but is it desireable just for user validating)?

Now I just save the user info in a .properties file,any other good idea?

BTW,the programe language used in my application is java.

skaffman
  • 398,947
  • 96
  • 818
  • 769
hguser
  • 35,079
  • 54
  • 159
  • 293

2 Answers2

2

Store your data in a file; use operating system locks and unlocks before reads if multiple instances of the program are in use. If it is just one app, you may be able to get by with a mutex setup (synchronized method).

Jeff Ferland
  • 17,832
  • 7
  • 46
  • 76
2

I guess it is a good idea to save data in a file as XML. You save encrypted/hashed password in it as well. Every time a new user created append a block something like this

<users>
...
...
<user>
  <username>first_user</username>
  <password>some_obfuscated_password</password>
  <permission>1,3,4</permission>
  <otherDetails>some detail </otherDetails>
</user>
</users>

There are standard libraries to parse XML in almost all the languages. Should not be an problem. And, fi anyone sees the file, he can't get the password. You can use salt as well.

Nishant
  • 54,584
  • 13
  • 112
  • 127
  • Good idea,I will try to save them in a xml file. – hguser Dec 27 '10 at 11:57
  • Don't just obfuscate passwords - if someone gets access to the user file in most cases the attacker will be able to reverse the obfuscation and read the user passwords in plain text. Better use a non-reversible operation together with a salt that should be different for each user (e.g. HMAC-SHA1). – Robert Dec 27 '10 at 12:24
  • In fact,the password is not the point,we just use the application as a demo. I care about the concurrent when more than one user register. – hguser Dec 27 '10 at 13:37
  • this might help. See here more discussion on concurrency: http://stackoverflow.com/questions/320159/howto-synchronize-file-access-in-a-shared-folder-using-java-or-readwritelock-on But if it's just a demo, you can have just one admin who can edit file. Or, since you do not need password thing, just make a file by hand and use it as read only. The way it is done for Subversin server configuration. – Nishant Dec 27 '10 at 14:03