From: | "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
---|---|
To: | "Andreas *EXTERN*" <maps(dot)on(at)gmx(dot)net>, <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: Philosophical question |
Date: | 2011-12-14 16:01:11 |
Message-ID: | D960CB61B694CF459DCFB4B0128514C2073C8C2C@exadv11.host.magwien.gv.at |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Andreas wrote:
> I asked elsewhere about the best way to store db credentials within a
> user-session of a web-app.
>
> It appeared that it was for everybody but me evident that instead of
> heaving a db-role+passwd for every user of an application it was better
> to have just 1 set of db-credentials for the application and recreate a
> user management within the app instead using the existing user handling
> of the dbms.
>
> That way the app checks the user's password as a md5 in some table and
> remembers "user is logged in" for later. The actual queries would be
> done with a common set of real db credentials.
>
> Pro: Noone could bypass the app and use e.g. pgAdmin to access the DB
> instead of the app.
>
> Con: A bug in the app could give anyone the access level of the app's
> credentials which might offer admin rights if such power is needed at
> least for some users.
>
>
> What's your opinion?
You forgot the most important pro:
If the web application server uses a single database user, you can
use connection pooling, i.e. reuse connections instead of maintaining
one connection per database user. This will boost performance.
True, you could have a connection pool and use ALTER SESSION AUTHORIZATION
to become a certain database user for one request, but that means
that the application server login user must be a superuser, which is
a terrible idea.
Yours,
Laurenz Albe
From | Date | Subject | |
---|---|---|---|
Next Message | Andreas | 2011-12-14 17:16:23 | Re: Philosophical question |
Previous Message | Merlin Moncure | 2011-12-14 15:33:04 | Re: Controlling complexity in queries |