Return-Path: Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: (qmail 40718 invoked from network); 26 Jun 2009 02:33:00 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 26 Jun 2009 02:33:00 -0000 Received: (qmail 72931 invoked by uid 500); 26 Jun 2009 02:33:10 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 72848 invoked by uid 500); 26 Jun 2009 02:33:10 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 72838 invoked by uid 99); 26 Jun 2009 02:33:10 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Jun 2009 02:33:10 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of skippy.hammond@gmail.com designates 209.85.216.185 as permitted sender) Received: from [209.85.216.185] (HELO mail-px0-f185.google.com) (209.85.216.185) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Jun 2009 02:33:01 +0000 Received: by pxi15 with SMTP id 15so1728881pxi.13 for ; Thu, 25 Jun 2009 19:32:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=Q+CGDoEug8JuEa87MzZKLtgxHSyb/G5bTA3x1Bz7SEo=; b=oXH6R41ePIzw05hEX6/tYmiEBOQ9mvu3KBKQHHtZMfKYrKMPhlz9IaPXkkdXNUHOtZ 6buREnk3RMC5C/m/xUmO0IHh+de+PBFNpi+ql9nFGH4kkqDvYLqAW1rCZEu48MgKTAjC X0jg8ueTN4Uqd/Kklnq0GVoMibJgSvhUFXKF0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=S/zwaq6lExtUR/t9U7JMTQ5txwRvE8/hFG3w9szzleErtjv1pQ+x9G+zhOm/PWP6MU 4yCEG5sGoT3rG0LPYPL6ZJel4HqIj5QRt6UtCtWYfZ8SLVSOoXBhT+CkkcXtLZXaCKig bkBsD8jBHjSHHMnnNDdDLpP7Cn0ZhZzUv0IlM= Received: by 10.114.124.1 with SMTP id w1mr4915633wac.132.1245983557549; Thu, 25 Jun 2009 19:32:37 -0700 (PDT) Received: from ?192.168.0.2? (ppp118-208-131-50.lns10.mel4.internode.on.net [118.208.131.50]) by mx.google.com with ESMTPS id n30sm4987392wag.41.2009.06.25.19.32.34 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 25 Jun 2009 19:32:36 -0700 (PDT) Message-ID: <4A44331A.8040901@gmail.com> Date: Fri, 26 Jun 2009 12:31:54 +1000 From: Mark Hammond User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b3pre) Gecko/20090223 Thunderbird/3.0b2 MIME-Version: 1.0 To: dev@couchdb.apache.org Subject: Re: CouchDB Authentication and Authorization References: <52664B06-2181-43F1-8E77-BE7D22680902@apache.org> In-Reply-To: <52664B06-2181-43F1-8E77-BE7D22680902@apache.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 26/06/2009 1:02 AM, Jan Lehnardt wrote: > A an example authentication client request > > | client | ---> | http request with credentials | ---> | > authentication handler | ---> | lookup in authentication handler > specific view in `users` database | ---> | grant or deny access, set > role | If you intend support Windows NTLM authentication, there are a couple of things that may, or may not, complicate this: * NTLM is based on a series of 'challenge/response' pairs; the client issues a request, the server responds with a 404 and a 'token' in the headers, the client re-requests with a token based on the server's token, the server responds yet again with 404 and a new token, then finally the client's next request works. * NTLM is connection-based. Once the connection is closed you must re-do that dance. It is not possible to persist anything beyond the life of the connection which you can use on a subsequent connection. Therefore, the dance described about must also be performed on the same connection. Hoping this is relevant, Mark