Re: User permissions - Mailing list pgsql-general

From tony
Subject Re: User permissions
Date
Msg-id 1015942987.5495.20.camel@vaio
Whole thread Raw
In response to Re: User permissions  ("Lars Preben S. Arnesen" <l.p.arnesen@usit.uio.no>)
Responses Re: User permissions
List pgsql-general
On Tue, 2002-03-12 at 15:15, Lars Preben S. Arnesen wrote:
> [ tony ]
>
> > What middleware are you using? If you are using Java/JSP then you fix
> > the permissions at the web page level.
>
> I'm going to use Zope, but that's not the point.

Yes it is

 If the web
> application layer contains holes, it may enable the web user to pass
> on sql commands through the application layer down to the database. Of
> course I'm going to do all I can to prevent this, but I want security
> in the database layer.

In my case they are going to need the database user name and password,
spoof the application server IP number, upload their own JSP to the
application server... The only connection allowed to the database is
from the application server via a well defined connection account.

> The web user is going to fetch, alter and insert data into the
> database, but I want to do it in controlled forms - by predefining
> functions for all the legal operations.

That is what JSP does. It is executed on the server and it is secure (as
secure as Java gets which seems to be a little more than PHP...)

Cheers

Tony

--
RedHat Linux on Sony Vaio C1XD/S
http://www.animaproductions.com/linux2.html
Macromedia UltraDev with PostgreSQL
http://www.animaproductions.com/ultra.html


pgsql-general by date:

Previous
From: "Jeff Martin"
Date:
Subject: Re: Can't get ODBC from Windows to Linux/Postgres to work, SOLVED!
Next
From: "Marin Dimitrov"
Date:
Subject: Re: cannot initdb