Security problems with JDBC access to Oracle database

G'day!

We want to build a system, where several different users can access several different data bases running on different computers from a Java applet in a browser or a Java application (running on the client machine) using JDBC over a possibly insecure net (e.g. Internet).

database: Oracle 7.1 (on Solaris (PC ans SUN)) Java: JDK 1.1.4 + JDBC + own class library for database access (GUI) network protocol: TCP/IP

All the data bases contain data of all the users in the same tables - that means, the different rows of each table are owned by different users (for example invoices or orders in the MESSAGE table). This is accomplished by an internal member and membergroup table with relations (foreign keys) into the data table rows.  

Therefore, two names and passwords are needed: One for the data base access and one for accessing the data within the data base. For an administrator it should be possible to configure, which user is allowed to acces which data base.

Our problems:

(1) How and where can we store the data base connect information (URL + name
+ password) so that it remains unknown for the users, avoiding that they can access the data base with other tools (e.g. SQL monitors) and possibly read the data of other users ?

(2) How can we assure, that the data base connect information (URL +
name + password) used by the applet can never be reconstructed by the applet user - may be from a hexdump of the applet code, from the decompiled applet code or from the content of IP packages, or, or, ... ?

(3) How can we encrypt the user data within the data base, so that
they can be read only by those users who own them (for example sender and receiver of an invoice) - and by nobody else, even not by the data base administrator ?

Best regards

Christian Boettger

-- 
Dr. Christian Boettger                                boettger_at_isl.org
Institute of Shipping Economics and Logistics, Bremen, Germany
phone +49-421-22096-21   fax +49-421-22096-55