Re: Philosophical question

From: Serge Fonville <serge(dot)fonville(at)gmail(dot)com>
To: Andreas <maps(dot)on(at)gmx(dot)net>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Philosophical question
Date: 2011-12-14 12:52:55
Message-ID: CAOAS_+L4jtvrUju_NAryTZ=OY5gpgUG5G-sGyQEsJULidsyp4w@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hi,

I asked elsewhere about the best way to store db credentials within a
> user-session of a web-app.
> It appeared that it was for everybody but me evident that instead of
> heaving a db-role+passwd for every user of an application it was better to
> have just 1 set of db-credentials for the application and recreate a user
> management within the app instead using the existing user handling of the
> dbms.
> That way the app checks the user's password as a md5 in some table and
> remembers "user is logged in" for later. The actual queries would be done
> with a common set of real db credentials.
> Pro: Noone could bypass the app and use e.g. pgAdmin to access the DB
> instead of the app.
> Con: A bug in the app could give anyone the access level of the app's
> credentials which might offer admin rights if such power is needed at least
> for some users.
> What's your opinion?

Wel as usual 'it depends'

One perspective is to create all users in your database and use a
combination of views, functions and storedprocedures to handle actions and
events.

Basically this moves a great deal of management to the database instead of
the app.
Benefit would be that the Database offers a fixed interface for
communication and you can completely redesign the backend without impacting
the interface to the app.

On the other end, when you use the app for those you often get a more
finegrained control over functionality, since often (though not always)
changing application functionality is easiser and you have the full power
of PL/SQL at your direct disposal.

This does integrate more, but makes you a lot less flexible imho.

So it depends on where your (or your team's) skills are

For the rest it depends on the criteria for the app.

HTH

Just my 2ct

Kind regards/met vriendelijke groet,

Serge Fonville

http://www.sergefonville.nl

Convince Google!!
They need to add GAL support on Android (star to agree)
http://code.google.com/p/android/issues/detail?id=4602

2011/12/14 Andreas <maps(dot)on(at)gmx(dot)net>

> Hi,
>
> I asked elsewhere about the best way to store db credentials within a
> user-session of a web-app.
>
> It appeared that it was for everybody but me evident that instead of
> heaving a db-role+passwd for every user of an application it was better to
> have just 1 set of db-credentials for the application and recreate a user
> management within the app instead using the existing user handling of the
> dbms.
>
> That way the app checks the user's password as a md5 in some table and
> remembers "user is logged in" for later. The actual queries would be done
> with a common set of real db credentials.
>
> Pro: Noone could bypass the app and use e.g. pgAdmin to access the DB
> instead of the app.
>
> Con: A bug in the app could give anyone the access level of the app's
> credentials which might offer admin rights if such power is needed at least
> for some users.
>
>
> What's your opinion?
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/**mailpref/pgsql-general<http://www.postgresql.org/mailpref/pgsql-general>
>

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Craig Ringer 2011-12-14 13:28:58 Re: Philosophical question
Previous Message Andreas 2011-12-14 12:32:47 Philosophical question