From: pgsql-general-owner@postgresql.org on behalf of Leonardo F
Sent: Fri 14/05/2010 14:24
To: pgsql-general@postgresql.org
Subject: Re: [GENERAL] Authentication method for web app
>I think this point number 2 is pretty important. If at all possible, keep
> the webapp separate from the database, and keep the database
> server on a fairly restrictive firewall. This means that someone has
> got to get in to the webapp, then hop to the database server, it just
> adds another layer of mis-direction for any would-be evil doers.
Which are the authentication methods "recommended" in this
scenario? It sounds to me that no matter the auth mechanism,
if a user can connect to the webapp server with the user that runs
the webapp there's no way of avoiding the connection to the db
(since the user will then be free to see/do whatever the webapp was
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Here is my 2 pence:
There are 2 types of security in computer. Physical and non-physical.
You are correct in saying that if someone were to get the user credentials of the user that the web app runs under, then they could access nearly everything that the web app could see. You then have to decide how to protect those credentials. Your web app should never disclose them, and a person should not give them out.
Bottom line, secure your server physicall, as well as logically. Don't give the web app users password out, don't give it a login shell etc..etc..
