> I do #1- most connections are not persistent though I have done those
> before as well. Security-wise I'm been reviewing the pros and cons
> of this and so far I really can't make much of an argument for #2.
> Just the opposite in fact. The one thing I will be doing though,
> for more security,
Hi Keith and others,
Personally I am rather humble regarding my ability to write unassailable
programs from a security perspective, so I tend to use individual database
accounts for individual users. I know that under certain environments this
may not scale well and connection pooling may be requ
On Tuesday 13 January 2004 22:13, Keith G. Murphy wrote:
> John Sidney-Woollett wrote:
> > What you could consider is one or more pools which map to the "roles"
> > that your (web) app supports. For example, if a user needs "minimal
> > rights" access to db resources, then your cgi (request handler
Keith Murphy wrote:
At some point, I may try rolling my own PAM module (as Tom Lane
suggested) that uses the user's browser-authenticated username and
password to map to a PostgreSQL username that constitutes a "role"
(assuming that's possible).
One option is to add an extra layer of indirection
scott.marlowe wrote:
On Tue, 13 Jan 2004, Keith G. Murphy wrote:
I'm trying to get a feel for what most people are doing or consider best
practice.
Given a mod_perl application talking to a PostgreSQL database on the
same host, where different users are logging onto the web server using
LDAP
Tom Lane wrote:
"Keith G. Murphy" <[EMAIL PROTECTED]> writes:
Hmmm, mightn't it be kind of nice if there were PAM or krb5 maps in
addition to ident maps?
ISTM the whole point of PAM is that you plug in your desired security
policy outside of the application. You shouldn't be asking for more
s
"Keith G. Murphy" <[EMAIL PROTECTED]> writes:
> Hmmm, mightn't it be kind of nice if there were PAM or krb5 maps in
> addition to ident maps?
ISTM the whole point of PAM is that you plug in your desired security
policy outside of the application. You shouldn't be asking for more
security frammis
On Tue, 13 Jan 2004, Keith G. Murphy wrote:
> I'm trying to get a feel for what most people are doing or consider best
> practice.
>
> Given a mod_perl application talking to a PostgreSQL database on the
> same host, where different users are logging onto the web server using
> LDAP for authen
Keith G. Murphy said:
> Perhaps I can answer my own question. I could use ident and a map that
> lists the web server username as able to map to the different "role"
> usernames.
Someone else also mentioned and I personally agree that it's better to
authenticate in the application layer (using wh
John Sidney-Woollett wrote:
Keith G. Murphy said:
That sounds like an excellent compromise. How do you typically handle
the mechanics of authentication from web server to PostgreSQL on the
connect, using this scheme?
Sorry but I can't help you out here, I'm too much of a newbie with
Postgres -
Keith G. Murphy said:
> That sounds like an excellent compromise. How do you typically handle
> the mechanics of authentication from web server to PostgreSQL on the
> connect, using this scheme?
Sorry but I can't help you out here, I'm too much of a newbie with
Postgres - I was hoping that someon
John Sidney-Woollett wrote:
Keith G. Murphy said:
2) have the web server connecting to the database actually using the
user's account (possibly using LDAP authentication against PostgreSQL),
and controlling access to different database entities through GRANT, etc.
My experience with java web/ap
12 matches
Mail list logo
