Restrict access to connection pool in Weblogic?

Question

In short, how can I restrict access to connection pool X based on application name or JAR name? A simple use case might help...

A business web-app (call it WEB_APP_A) uses pool Y to do basic look-up SQL. Some users of this web-app have access to also update some sensitive data in the database. This code is provided by a JAR file (call it HR_JAR) that can be dropped in where needed. This JAR uses pool X for all of it's connections.

We don't want developers of WEB_APP_A using pool X. We only want HR_JAR using pool X. This is to keep devs of WEB_APP_A from accidentally or intentionally abusing the access pool X provides.

Some considerations:

1. This is legacy code so HR_JAR is here to stay
2. We are running on Weblogic 9.2
3. We can not keep passwords in any from in the source code
4. We have researched weblogic user level authn/authz for JDBC resources but then this begs the question; how do we secure the user creds we use to become a user per app/jar?

Ideas? Thoughts? I can elaborate more on what I have tried, but I wanted fresh ideas.

Answer 1

There is no good way to do this as far as I can tell. There are some clever tricks with AspectJ but in the end it's more trouble than it's worth.

Answer 2

Haven't ever tried this and don't have access to an instance to play right now, but in your JDBC config you could try adding a <scope> element for the application against pool X, inside the <jdbc-data-source-params> I think... Though that assumes you have a separate application defined for HR.jar, which I'm not sure is the case from your description. I don't know if you can restrict an individual JAR within an application though.