Re: General Security-Question

On Mon, Jun 18, 2001 at 05:02:45PM -0400, Doug McNaught wrote:
> elwood@agouros.de (Konstantinos Agouros) writes:
>
> > can I stop people from updating the data of the others. The one
> > thing that came to my mind was not creating database-users but
> > instead use a static user, and let the application handle the logic
> > who can access which lines in the database (its also a matter of
> > dataprivacy, one should be allowed to watch one's own data but not
> > of the others, the team-manager should see the data of the team
> > etc). The read-access can be implemented using views but I don't
> > see much other way for data-entry. Somebody has an idea?
>
> Honestly, I think the best way to do this is to create a Java class
> (or classes) that implements all your business logic on the server
> side, then have the applet make RMI calls into that API.  You can pass
> the applet a random cookie when it's created, and have the applet pass
> that back as part of the RMI call, and then check in the server logic
> to see whether the user is trying any funny stuff (like trying to see
> or modify someone else's data).
>
> Make sense?
That way I could bind the postgres-master zu 127.0.0.1 that might work though.
My Problem is, that if I would use a regular applet/jdbc-connection the post-
master has to listen on the real network address and if I create normal db-
accounts, everybody could call psql and that is what I want to avoid. But I
guess I go with the Static-ID-Part since it is easier to implement \:)

Konstantin
--
Dipl-Inf. Konstantin Agouros aka Elwood Blues. Internet: elwood@agouros.de
Otkerstr. 28, 81547 Muenchen, Germany. Tel +49 89 69370185
----------------------------------------------------------------------------
"Captain, this ship will not sustain the forming of the cosmos." B'Elana Torres