On Tue, 13 Jan 2004, Keith G. Murphy wrote:
> I'm trying to get a feel for what most people are doing or consider best
> practice.
>
> Given a mod_perl application talking to a PostgreSQL database on the
> same host, where different users are logging onto the web server using
> LDAP for authentication, do most people
>
> 1) have the web server connecting to the database using its own user
> account (possibly through ident), and controlling access to different
> database entities strictly through the application itself
>
> 2) have the web server connecting to the database actually using the
> user's account (possibly using LDAP authentication against PostgreSQL),
> and controlling access to different database entities through GRANT, etc.
>
> Obviously, (2) leads to more database connections, and you still have to
> have the application do some work in terms of which forms are available
> to which users, etc. But I'm a little worried about whether it's best
> security practice.
I do #1- most connections are not persistent though I have done those
before as well. Security-wise I'm been reviewing the pros and cons
of this and so far I really can't make much of an argument for #2.
Just the opposite in fact. The one thing I will be doing though,
for more security, is create a special webuser for that client.
---
Keith C. Perry
Director of Networks & Applications
Visions Communications Support Network, Inc.
netadmin@vcsn.com
http://vcsn.com
---
