Re: Best practice? Web application: single PostgreSQL

i have always tended towards building simple user authentication
structures into the application, rather than the database.

historically i've been a ms sql developer and have seen both
environments modelled in the microsoft sphere. doing everything in
the database is good if you're building a heavily database
orientated application (cos you get all the advantages of knowing
whos doing what in procedures and triggers and stuff) but can be
a headache if you're not.

the other main issue I've had in the past is migration and support.
you're relying on being able run your application in the same
sort of environment ongoing. this may not be a problem if you're
happy to tie yourself into LDAP / Postgres as a platform.

as for security the main concern (true in the windows world too) is
that you don't usually want to give users authenticated on the
network any sort of access to the database, which you have to do
if you're integrating security models.

at the same time LDAP provides a whole host of security benefits
that you must be careful not to ignore if you do it yourself.

personally i prefer the seperated application approach with mixtures
of security in the application layer using 1 & 2 way encryption, ssl
over http and that sort of thing.

-----Original Message-----
From: Keith G. Murphy [mailto:keithmur(at)mindspring(dot)com]
Sent: 13 January 2004 16:13
To: pgsql-general
Subject: [GENERAL] Best practice? Web application: single PostgreSQL
user vs. multiple users

I'm trying to get a feel for what most people are doing or consider best
practice.

Given a mod_perl application talking to a PostgreSQL database on the
same host, where different users are logging onto the web server using
LDAP for authentication, do most people

1) have the web server connecting to the database using its own user
account (possibly through ident), and controlling access to different
database entities strictly through the application itself

2) have the web server connecting to the database actually using the
user's account (possibly using LDAP authentication against PostgreSQL),
and controlling access to different database entities through GRANT, etc.

Obviously, (2) leads to more database connections, and you still have to
have the application do some work in terms of which forms are available
to which users, etc. But I'm a little worried about whether it's best
security practice.

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________

________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________