On 1/29/07, Andrus <kobruleht2@xxxxxx> wrote:
My application implements field and row level security. I have custom table of users where user privileges are described. However user can login directly to database using pgAdmin. This bypasses the security. How to allow users to login only from my application ? I think I must create server-side pgsql procedure for login validation. How to implement custom authentication in server side ? How to force PostgreSQL to call stored procedure for user logon validation when user logins to PostgreSQL ?
1. Make sure your application does not log in as database superuser. Grant access to all tables but do not give the super user account/pw to your customers or your application. 2..You can disable pgadmin/psql by doing things like: revoke select on pg_proc to public; This will completely hose pgadmin and also make it hard to work from psql. It will not hurt your ability to run functions. Keep in mind you cannot reduce access to below what is allowed by the application, just make it a bit harder to browse the database, etc. merlin
