On 5/9/07, foobarmus <[EMAIL PROTECTED]> wrote: > > I'm managing a programming team that's developing a web app in python. > I'd like to be using Django but can't at the moment because one of the > things we are doing is driving the application user into the database > connection, so that we can implement access control at database level. > > I would like some opinions on this practice. I think it's important. I > don't understand why frameworks like Django don't allow for it. It is > not difficult to do. > > Is there some popular wisdom on this issue that I haven't been exposed > to?
Yes. The conventional wisdom that everyone "should know" is never to use such web to database pass-through authentication for anything bigger than an intranet application behind corporate firewalls/VPNs. There are huge security concerns with any sort of pass-through authentication, and putting a pass-through authentication into a public-facing website is just asking for crackers to sit there and pound your site for any and every SQL injection they can think of. Pass-through authentication *can* be just as devastating as allowing direct remote connections to your database. If you are willing to _meticulously_ audit every security implication then good luck. For a general purpose framework like Django adding support for this without big flashing warning signs and a general "HERE BE DRAGONS" on the big map of Django features is not a good idea and a good way to singe people's fingers. Furthermore, for the majority of cases this sort of database authentication is overkill and bad for performance (instead of maintaining one long session with the database per thread the framework has to back out and deal with database sessions per request which just reeks of early (pre-auto-session-magic) bad PHP applications). Unfortunately it's a bit late and I can't scrounge up some good links on the subject (hopefully someone else can follow up with those), but I hope that I at least have illustrated at least the conventional wisdom with a few smudges of reasoning... Regards, -- --Max Battcher-- http://www.worldmaker.net/ All progress is based upon a universal innate desire on the part of every organism to live beyond its income. --Samuel Butler --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
