Hi,
I'm trying to make a web app with form-based user authentication, with connection to a database. Very classical.
All examples I've seen so far (2 or 3) establish the connection to the database directly on the page and hardcode the database user and password in it.
Even if this is
jsp code and isn't sent back to the client, I believe this is stupid from a security standpoint.
So I thought it was better to establish the connection through a custom bean and call it in the JSP page. The bean must :
1. call the
jdbc driver and make the connection to the database.
2. run a query against it with request-specific parameters.
It seems obvious that the bean should have a session scope.
However, the connection to the database need not be specific to each request. Only the query is specific.
So what should i do ?
create a "connection" bean with application scope and a query bean with session scope ? or use the same bean for both and a connection pooling ?
Any remarks welcome. Thanks.