One other thing. Another approach to this problem would be to have some
sort of code signing/authentication capabilities for the postgresql
server. For instance, you login as an administrator (some sort of
enhanced privs), you get to look at the databases you have permission
for. Otherwise, postgresql has to recognize the application. Has this
ever been discussed?
Paul Lambert wrote:
> Andrus wrote:
>>> Run the application on a machine you control. Then the application can
>>> authenticate without the users being able to steal or piggyback on its
>>> credentials.
>>
>> Thank you for reply.
>>
>> My application is GUI applicatio which must run in customer computer and
>> accesses to 5432 port in remote PostgreSQL server located in customer
>> side over internet.
>> I cannot control customer computers.
>>
>> Andrus.
>>
>>
>>
>>
>> ---------------------------(end of broadcast)---------------------------
>> TIP 9: In versions below 8.0, the planner will ignore your desire to
>> choose an index scan if your joining column's datatypes do not
>> match
>>
>>
>
> If the users have access to the database via having a
> username/password then it seems to me that they could use basically
> anything to connect via ODBC to the database and retrive/look
> at/update data. M$ Excel, Acces, reporting things like crystal reports
> etc and of course pgAdmin.
>
> If you hide the database username and password within your application
> (i.e. encrypted within the source code) so they cannot see the
> credentials that you connect to the database with internally then they
> have no means by which to connect to it using any other programs.
>
> What I gather is users in your case are set up as database users
> rather then having a users table on which your application
> authenticates. The downside of doing it the way you are doing it is
> always going to be that any user with a database username and password
> can connect to the database by any means they come by. I'm no Postgres
> expert, but I'm sure like any other RDBMS, postgres does not know, nor
> care, what application is doing the connection but rather just accepts
> an ODBC connection and the credentials that are passed to it.
>
> Regards,
> Paul.
>