Ron- If you're in the design phase and you're thinking about Which users should have access to which pages/resources (and consequently DB resources) The simplest mechnism is to implement a True Portal Management System based on predefined acls/roles/group and users can then be created will have a 'role' assigned in security-administration I thoroughly recommend Jetspeed..it has been around for years and has many successful installations and works with Cocoon/Turbine, WebMacro and Velocity..there is also a wireless component available Skins available (If you want to modify colors or display attributes) http://portals.apache.org/jetspeed-1/ FWIW/ Martin-- --------------------------------------------------------------------------- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. --------------------------------------------------------------------------- Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. ----- Original Message ----- From: "Ron" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <pgsql-general@postgresql.org> Sent: Monday, March 26, 2007 4:31 PM Subject: [GENERAL] A (hopefully) simple question re: secure pg <=> web application access
>I usually have a DBA available to me, but have to "wing it" this time... > > I know what I =want=. What I don't know is ?how? to do it? > > I want to set up a web app to have access privileges that allow the > app to communicate only with certain > a= pg stored procedures or > b= java servlets which then talk to pg stored procedures (think > Apache + Tomcat but not J2EE environment with a possible Hibernate layer). > > The pg stored procedures will be the only things that have the > privileges to actually do DB IO. > > Since the web app can only talk to a restricted set of entities, and > I can "lock down" those entities and/or verify traffic with them to > my heart's content, this seems to be the best way to avoid SQL code > injection, processes that bootstrap their privileges, etc, etc. > > > So how do I do this? > Ron > > > > ---------------------------(end of broadcast)--------------------------- > TIP 9: In versions below 8.0, the planner will ignore your desire to > choose an index scan if your joining column's datatypes do not > match > ---------------------------(end of broadcast)--------------------------- TIP 5: don't forget to increase your free space map settings
