Typical Web-Based Architecture

The following diagram shows a typical account-based web application architecture. It consists of several web applications which exist on the Internet. These applications may execute within a web browser (e.g., Internet Explorer) or as a stand-alone Java application. The web application allows application users to access their account (e.g., bank account) using a user name and a password. The web application submits operations (e.g., read bank balance) to the RDBMS middleware application as the user interacts with the web application. From a security perspective, the web application should not be trusted to act properly.

The RDBMS application accepts operations from the web application, converts them into SQL, and submits them to the RDBMS server. The RDBMS application is typically an application custom made for the particular web application being developed. Typically, the RDBMS  application is trusted to authenticate the application user, bind that authentication to the application user’s session, and to ensure that no data is released or modified outside of that allowed for the authenticated application user. The RDBMS application connects to the RDBMS  server as the RDBMS user and is trusted by the RDBMS server to perform any RDBMS operation that may be needed to satisfy any legitimate application user operation for any application user. Therefore, if the RDBMS application is compromised or bypassed, data from all application users is vulnerable.

The RDBMS server accepts operations from the RDBMS application in the form of SQL operations. The RDBMS server has no knowledge of application users. Therefore, a typical RDBMS server may not make any security decisions based upon the current application user.