Opinions about authentication between application and database tiers

前端 未结 2 1747
無奈伤痛
無奈伤痛 2021-01-24 13:53

I\'m puzzling over a technical dilemma where two folks on our team a recommending two different security models each with pros and cons.

The greenfield looks like this:

2条回答
  •  醉梦人生
    2021-01-24 14:38

    How may potential users can you have and how may of those users could be active at once?

    For example, if you have 100,000 users, and thousands can be online at once time, then you will need 1000's of database connections open to serve them all as each user can only use their own connection. Setting up and tearing down a connection for each transaction is very expensive and will make the application slow.

    Personally I would go for a connection pool, and would not have a database user account per internet user. That is how web applications are generally built.

    Something like Oracle Fine Grained Access Control may give you a middle ground of security, whereby you set the 'internet user' in the session and then the database ensures that internet user can only access what it is allowed to based on rules in the database.

提交回复
热议问题