On Thu, Mar 25, 1999 at 06:45:38PM +0200, Cezar Totth wrote:
> I think is as much a security threat to let users pass *real* database
> passwords via http posts or basic http authentication.
It should not matter.
* db should be behind a firewall, such that (db, user, pw) is useless
* db user should be sufficently restricted
* web user name and password gives access to all data availabe in front-end
(which should be the same as back-end if feasible).
It is probably more pain than needed to map web users to db users
one-to-one. Although it has certain benefits - tracing/logging in
particular.
> You-re right. Everyone compromises betwen performance, security, and
> costs. Some wont buy 1000's users RDBMS licenses just to publish "live"
> data, others will.
Do you have a choice? Oracle used to have special "web" licenses that
link number of concurrent user to the license. Maybe they changed it
because it's was a pretty expensive way for licensee. Don't know
about the other two (Informix & Sybase).
Personally, I think licenses that state how many users may access a
server less than "ideal". Hopefully competition is going to fix this
soon.
/Allan
--
Allan M. Wind mailto:[EMAIL PROTECTED]
Manager Information Systems phone: 781.359.9791 (general)
Integration Associates, Inc. phone: 781.273.0195 ext. 205 (direct)
55 Cambridge Street, Suite 301 fax: 781.359.9789
Burlington, MA 01803 http://www.sap-help.com
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
