databasesecurityweb-applicationsmulti-user

multiple users, multiple applications, one server


I have an idea for a web application that involves a multiple users, two different applications (which will be run from a user's local machine), and a remote database server.

Databases stored on remote server:
1) Username database - contains user information
2) application database - contains two rows, one for each application. Stores an application name and password.
3) app1 database - each row stores information about a single user for the first application.
4) app2 database - each row stores information about a single user for the second application.

Each of these two applications will have separate owners and I do not want them to be able to write to the other application's database. Also, because the users will be public users, their password should be required to modify their line in an application database that contains their information.

These are the requirements:
1) Each user has a username and password.
2) Each application has an application name and password.
3) To modify any line in one of the application databases, you will need the user's password and the application owner's password.
4) Applications are run on a user's machine.

I'm really not sure how to do this AND make it secure. Does anyone have any ideas? I would really like to avoid forcing each application owner to have their own server. I would like to have one central server that can store all the information.

Also, there is potential for the number of applications (and application databases) to expand beyond two. The programming languages are not necessarily going to be the same for both applications.


Solution

  • I think I have come up with a solution, if anyone wants to critique it that would be really helpful. Either that or if anyone comes up with a better idea, that would be even more helpful

    This Is what I was thinking... 1) Users of the application initiate the process that would require writing to the database of that application. 2) The application would collect all required data and make a POST to a servlet, which will be hosted on the main server. 3) The data would be displayed to the user, and the user would be asked to login. 4) Once the user logs in and verifies the data is valid, it is all saved to the database.

    It is a little bit inconvenient that a web browser must be launched just so the user can save their data, but that is really all I can think of. All the other ideas I have been able to think of require at least one party to be entirely honest, which we all know isn't a good risk to be taking.