How can I ensure that database security is applied to the current user when I use a connection pool since the connections are created with a default user ID and password?
Most workable security involves groups or levels of users, so that a security conscious connection pool would probably set up connections based on group level passwords. If security is a concern, one should get or create a pool that works as hinted by the ConnectionPoolDataSource class JDBC 2.0 Optional Package. It has the method getPooledConnection(String user, String password). Clearly the intent is that classes of connections are created and when one is requested, the user and password is compared to those of current connections. If there is a request that doesn't match the group levels, a new connection is created and passed back. Of course, this raises the spector of a program having knowledge of passwords and potentially passing them around over the internet, bringing up another yet another security issue, which is probably best resolved by having the pool manager resident on the server.