Kevin, That's an interesting concept. I guess the assumption would be that the page and business logic would be harder to get to if it were in the database?
One client I worked for had the same idea. They did their entire eCommerce site in PL/SQL for Oracle. They didn't do it for security, but because PL/SQL was so versatile. It "rendered" pages, parsed xml, wrote files, and sent email. It was abandoned because it was so complicated and fragile that upgrades took forever, and it took 3 full-time testers to keep bugs (mostly) out of production. What if you proposed a solution where the unix user that runs the web server would have read-only access to the code, so the OS keeps the app from modifiying its own code? That way even if a hacker got access, he could only change things in a limited location (like a temp directory) and wouldn't be able to let things get out of hand. You could even check the site every minute with another checked-out version to see if anything changed from the official svn version. Or maybe that's not the problem they want to solve? Joe On Thu, Sep 24, 2009 at 11:23 AM, Kevin Weller <[email protected]> wrote: > Hey BDRG-ers! > > I have a request by a potential client for an unusual web application > architecture, and wanted to see if anyone else out there has any ideas or > knows of any Rails patches or non-Rails MVC webapp frameworks that might fit > the bill. > > Basically, what they want to do is run the entire application within the > Postgres database engine...data, business logic, page rendering, everything. > What that suggests to me on first blush is either lots of PL/Ruby (and a > newly invented internal logical architecture and framework to structure it), > or patching Rails to pull all its view elements from the database like some > Content Management System on steroids. > > Of course, I will probably be pushing back on this architectural requirement > for phase 1, just so we can get something working quickly and with minimal > expense. So far, security is the only reason given for the database-centric > architecture, but we've secured some pretty sensitive systems using more > traditional web application architectures before. Also, this architecture > would affect our ability to cluster the application across arrays of cheap > servers too...we'd be improvising so much that's a given in Rails. I'm not > so sure that the benefit would be worth the time and expense over a properly > tiered standard webapp. > > Anybody else have any thoughts or references? > > - Kevin > _______________________________________________ > Bdrg-members mailing list > [email protected] > http://rubyforge.org/mailman/listinfo/bdrg-members > -- "There are only two industries that refer to their customers as ‘users’." - Edward Tufte _______________________________________________ Bdrg-members mailing list [email protected] http://rubyforge.org/mailman/listinfo/bdrg-members
