[Zope] Databaseadapters, authentification and rowsecurity

Stuart Bishop zen@shangri-la.dropbear.id.au
Sat, 20 Oct 2001 14:31:53 +1000


On Friday, October 19, 2001, at 06:29  PM, H.de.Wit@SFK.NL wrote:

> We are using DB2 on an As400 and are looking how we can use Zope in 
> front
> of it.
> DB2 offers row security: you can only see the records you are allowed to
> see, based on your username and password.
> I can connect to DB2 with the ZODBDA. With this adapter you have to 
> give a
> username password and after that
> all users are able to 'SQL' the database, but with a common username
> password, not their own.
>
> Now my question: is it possible to use a databaseadapter in a personal 
> way?

The short answer is you cannot.

> It is not that i don't trust Zope's security mechanism, but i have the 
> idea
> that row security offers just a little more.

Few, if any, application servers would support what you are after as it
involves maintaining a separate database connection for each user.

With Zope it would be possible with some work. You would need to create
a new virtual DA that creates a new connection for each authenticated
user and caches it for some period of time. Note that you would probably
need one connection per Zope thread (4 - 7) unless your underlying db 
library
can handle being shared between threads, or you are talking to a middle 
tier
proxy of some kind instead of implementing all this in Zope. Nobody has 
been
bothered to implement this design though. You could even tie it into 
exUserFolder
and use the usernames and passwords already defined in your database as 
your
authentication scheme.

--
Stuart Bishop <zen@shangri-la.dropbear.id.au>