Woa! Sorry, I thought I'd explained all that. Data access control *is* via user IDs managed by the database. But it's complicated.
The problem is, the user interface is via a series of web applications, which connect to various databases. Rather than maintain lots of user IDs in each database, the idea is to hold them in one - call it the login database. Then, the web applications query the various databases on behalf of the user, using their own "application user" ID in the other databases. Thus, most of the databases only have two user accounts: the dba and the applications account.
The problem is - the application has to log in to each database as the app user, before it can access the data. Thus, like any other user, the app needs to know its own name and password - so as to match the ones stored in the database.
The problem is, how do we tell the apps what their user ID is?
We do *not* want root to be able to find out (at least, he'd have to be a mega-serious hacker). Currently this info is held in the app's config file which is plain text and so accessible to root. Dang!
Cold fusion is able to encrypt passwords held in this fashion, so root cannot fiddle with it. And once the data admin changes the CF password, neither can the developers.
What we need is the same thing in a java environment instead of cf.
The eternal help vampire