[4002] in WWW Security List Archive
Re: www, database and security
daemon@ATHENA.MIT.EDU (Patrick Richard)
Thu Jan 16 19:14:27 1997
Date: Thu, 16 Jan 1997 12:58:05 -0800 (PST)
From: Patrick Richard <patr@xcert.com>
To: John Gervasi - Loral - X1468 <gervasi@manassas1.tds-gn.lmco.com>
cc: ajenie@pop03.ca.us.ibm.net, joang@lix.intercom.es,
www-security@ns2.rutgers.edu
In-Reply-To: <199701141419.JAA12276@mutt.reston.unisysgsg.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 14 Jan 1997, John Gervasi - Loral - X1468 wrote:
> The problem is going directly to a database from the browser using JavaScript
> you are circumventing any security implemented between the browser and server,
> like SSL.
An alternative that we have implemented an HTTPS server that proxies the
client during its connection to an LDAP database, which effectively give the
HTTP server the client's credentials when accessing DB data, and then the
resulting DB data is parsed into HTML and returned to the client, all secured
via SSL.
> >
> MY COORDINATES:
>
> John J. Gervasi
> Engineering Support Manager
> Global Transportation Network Project
>
> Lockheed Martin
> 9255 Wellington Road, Building 102
> Manassas, Virginia 20110-4121
>
> work 703.367.2534
> fax 703.367.1076
>
>
> e-mail john.j.gervasi@lmco.com
> or gervasi@manassas1.tds-gn.lmco.com
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> Remember, life is what happens to you while
> you were hoping for other results. :-)
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
> > >
> > > > 2) Which security problems can arise with these methods?
> > >
> > > Basically, the database server will treat you as a one instance
> > > connection from one client. So, any Internet connection will use the
> > > userid/password that has been given to the Internet Server (maybe
> > > somebody can add other security issues ??). Bottom line is we'll use
> > > the security scheme that comes from the database system.
> > >
> > > Hope this will help.
> > >
> > > Thank You and Have a Nice Day,
> > > Andre Jenie
> > > Security Analyst
> > > Jakarta, Indonesia
> > > Thank You and Have a Nice Day,
> > > Andre Jenie
> > > Security Analyst
> > > Jakarta, Indonesia
> >
> > --
> > ------------------------------------------------------------------------
> > Joan G.Villaraco y Perez Tel 34-3-580-2500
> > Ingeniero de Sistemas Fax 34-3-580-0995
> > ADD Servicios Informaticos, s.a. (Trabajo)
> > mailto:joang@lix.intercom.es
> > Parque Tecnologico del Valles (Personal) mailto:joang@redestb.es
> > 08290-Cerdanyola-Barcelona (SPAIN) http://www.add.es
> > ------------------------------------------------------------------------
> >
>
--
Pat Richard / patr@xcert.com
----
Run your own CA and secure your Virtual Community:
http://www.xcert.com
