Coming from the MS world, typically an application communicates with the database via a web service call to a web server. The web server handles various things such as security and can validate what the user is allowed to do before touching the database. The database is securely locked down behind the web server. The web server makes a call to the database from its data services layer and can handle any exception handling if necessary. And finally, a response is sent back to the client from the web server.
How does this compare with best practices in the TG world?