Re: Application vs database users

From: Mark Bole <makbo_at_pacbell.net>
Date: Wed, 01 Jun 2005 00:19:16 GMT
Message-ID: <8a7ne.805$IE7.726@newssvr21.news.prodigy.com>

kochel_verz_at_yahoo.com wrote:
> Hi.
> Please give some opinion on this:
> Wich is the best approach for managing users in a typical three-tier
> web application, using jdbc:

HansF wrote:

> Some reasons to ensure that each app user has a unique database userid: >
[...]

> 
> Some reasons to avoid that:
> 

[...]
>
DA Morgan wrote:
> The method chosen is wholly dependent upon what the security needs of
> the organization and the application are.
>

[...]
> I would only deviate from this when circumstances so dictate.
>

To take advantage of JDBC connection pooling (my experience in this regard is with BEA Weblogic) would naturally lead to the choice of one or two database logins (connection pools) for the entire application, instead of individual database users for each application user, so I don't agree that security is the only issue to consider (I guess that falls under the "hedge" clause...).

Also, on the flip side of security, creating new database users and resetting forgotten passwords requires DBA privilege, while adding/updating rows in an application-level table does not.

As HansF mentioned, there are trade-offs that only your business needs can determine.

-Mark Bole Received on Tue May 31 2005 - 19:19:16 CDT