| From: | tony <tony(at)animaproductions(dot)com> |
|---|---|
| To: | "Lars Preben S(dot) Arnesen" <l(dot)p(dot)arnesen(at)usit(dot)uio(dot)no> |
| Cc: | postgres list <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: User permissions |
| Date: | 2002-03-12 14:23:07 |
| Message-ID: | 1015942987.5495.20.camel@vaio |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Tue, 2002-03-12 at 15:15, Lars Preben S. Arnesen wrote:
> [ tony ]
>
> > What middleware are you using? If you are using Java/JSP then you fix
> > the permissions at the web page level.
>
> I'm going to use Zope, but that's not the point.
Yes it is
If the web
> application layer contains holes, it may enable the web user to pass
> on sql commands through the application layer down to the database. Of
> course I'm going to do all I can to prevent this, but I want security
> in the database layer.
In my case they are going to need the database user name and password,
spoof the application server IP number, upload their own JSP to the
application server... The only connection allowed to the database is
from the application server via a well defined connection account.
> The web user is going to fetch, alter and insert data into the
> database, but I want to do it in controlled forms - by predefining
> functions for all the legal operations.
That is what JSP does. It is executed on the server and it is secure (as
secure as Java gets which seems to be a little more than PHP...)
Cheers
Tony
--
RedHat Linux on Sony Vaio C1XD/S
http://www.animaproductions.com/linux2.html
Macromedia UltraDev with PostgreSQL
http://www.animaproductions.com/ultra.html
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Manuel Martin | 2002-03-12 14:50:17 | how to get info about spatial extension of pgsql? |
| Previous Message | Joseph Koenig | 2002-03-12 14:17:41 | cannot initdb |