Tomcat/Database Setup - JDBC Connection Pooling

Question

I am researching the setup of how Java EE database (such as Tomcat) connections to a database (let's say, Oracle) are setup.

Based on what I am reading, the use of dedicated connections for each user be established is not as efficient as using "connection pools", so this would normally be preferred setup.

This leads to these questions:

Question 1) How best to discriminate between users to ensure that they don't connect with the incorrect access privileges. For instance, a data consumer wouldn't be connected with the same privileges as admin.

Based on my surface level understanding, there might be separate types of connection pools set up for different classes of users though obviously admin would be much smaller, or perhaps use of filters.

Question 2) How changes made by a specific person are tracked with the use of connection pools. It would appear everyone has the same login? If so, I am guessing login authentication is done by the web server itself before they can connect to the database itself.

Answer 1

Users should not under any circumstances be given a connection to your database. If you grant database access to remote users, they can do whatever they want to your database. For instance, delete it. You don't want this. Your web server should be the only thing that makes a connection to the database.

Your web server should have methods that access the database to perform operations that you explicitly allow for users with given privileges. For instance, an admin user may have access to the banUser() method that sets a banned flag for a record in your users table. But you wouldn't want regular users to have access to that function. Maybe normal users and admin users could have access to the editBio() method. This discrimination is handled by your authentication and authorization mechanisms, which it sounds like you need to read up on.