pros and cons of two security models

Hi all;

I wanted to get opinions of folks who do a lot of this as well.

LedgerSMB uses database user accounts and role grants to restrict access of
the front-end application. This means:

1) The database does not trust the application. The application has no
access to the db in the absence of user-supplied credentials.

2) Permissions are granted on functions and tables, and the application is
aware of granted roles, and so can make informed decisions about what
options to give the user.

This has a few significant drawbacks. As far as the web application is
concerned, the types of supported authentication are limited to those
which are re-usable, which basically means BASIC and KRB5. This maps to a
much larger number on the web server to db server tier, but often the web
server hop is the most exposed one. This is a significant problem. On the
other hand it buys us:

1) access to every method of authentication Pg supports for non-web apps,
and

2) access to every method of password auth that Pg supports for web apps

3) Centralized security logic which means consistent access enforced
through a variety of clients.

Which does everyone else prefer? Why? I am asking because this choice has
spawned some controversy around LedgerSMB from time to time, though not as
much as being Pg-only at least looking at public and private discussions of
the software I have seen.

Best Wishes,
Chris Travers