Re: Best practice? Web application: single PostgreSQL
От | Julian North |
---|---|
Тема | Re: Best practice? Web application: single PostgreSQL |
Дата | |
Msg-id | A9F75F9AB514D611A69D0002A5AD9BED116CB5D5@lmnukex05.lastminute.com обсуждение исходный текст |
Список | pgsql-general |
i have always tended towards building simple user authentication structures into the application, rather than the database. historically i've been a ms sql developer and have seen both environments modelled in the microsoft sphere. doing everything in the database is good if you're building a heavily database orientated application (cos you get all the advantages of knowing whos doing what in procedures and triggers and stuff) but can be a headache if you're not. the other main issue I've had in the past is migration and support. you're relying on being able run your application in the same sort of environment ongoing. this may not be a problem if you're happy to tie yourself into LDAP / Postgres as a platform. as for security the main concern (true in the windows world too) is that you don't usually want to give users authenticated on the network any sort of access to the database, which you have to do if you're integrating security models. at the same time LDAP provides a whole host of security benefits that you must be careful not to ignore if you do it yourself. personally i prefer the seperated application approach with mixtures of security in the application layer using 1 & 2 way encryption, ssl over http and that sort of thing. -----Original Message----- From: Keith G. Murphy [mailto:keithmur@mindspring.com] Sent: 13 January 2004 16:13 To: pgsql-general Subject: [GENERAL] Best practice? Web application: single PostgreSQL user vs. multiple users I'm trying to get a feel for what most people are doing or consider best practice. Given a mod_perl application talking to a PostgreSQL database on the same host, where different users are logging onto the web server using LDAP for authentication, do most people 1) have the web server connecting to the database using its own user account (possibly through ident), and controlling access to different database entities strictly through the application itself 2) have the web server connecting to the database actually using the user's account (possibly using LDAP authentication against PostgreSQL), and controlling access to different database entities through GRANT, etc. Obviously, (2) leads to more database connections, and you still have to have the application do some work in terms of which forms are available to which users, etc. But I'm a little worried about whether it's best security practice. ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________
В списке pgsql-general по дате отправления:
Следующее
От: "Keith G. Murphy"Дата:
Сообщение: Re: Best practice? Web application: single PostgreSQL