couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hinnerk Haardt <hinn...@randnotizen.de>
Subject Re: Anonymous Access to Design Docs
Date Thu, 04 Nov 2010 09:46:49 GMT
I like the simplicity of the solution you propose.

About the security implications: First I thought the design document
and thus the business logic of an application would be public but
that's not the case if login and business logic reside in separate
design documents and only the one containing the login logic is open
for anonymous access.

Besides: Redirection to a login app can be easily implemented by a
reverse proxy in front of the couch. As there's already the implicit
dependency between the two necessary databases you already mentioned
for a solution using redirection, the complexity added by the proxy
wouldn't count much in my eyes. And if security is important it's
likely a proxy is used anyway because it's the simplest way to add
better logging, SSL and single sign on via Kerberos.


Hinnerk


On Thu, Oct 14, 2010 at 10:54 PM, Dale Harvey <dale@arandomurl.com> wrote:
> I dont think a configurable redirect really helps logging into private
> couchapps, you will be logging in to a public couchapp anyway, so I imagine
> it would just be easier "everything" went through the design doc couchapp
> and it just told the client where to make requests, I guess that falls apart
> fairly quickly with show / lists though
>
> I did a quick patch mostly for discussions sake, its not a particularly
> clean way to do access control, but its a fairly simple patch, obviously if
> I can get any consensus would clean up + test etc
>
> http://gist.github.com/627022
>
> On 14 October 2010 07:54, Johannes J. Schmidt <schmidt@netzmerk.com> wrote:
>
>>
>> Am Mittwoch, den 13.10.2010, 15:31 -0700 schrieb Tyler Gillies:
>> > On Wed, Oct 13, 2010 at 8:25 AM, Paul Davis <paul.joseph.davis@gmail.com
>> >wrote:
>> >
>> > >
>> > >
>> > > I wonder if having a white list of design doc URL paths might be the
>> > > middle ground. Instead of redirecting to Futon, the ddoc could list a
>> > > URL to redirect to.
>> > >
>> > > Paul
>> > >
>> >
>> >
>> > I like this idea
>>
>> Me too. I would appreciate a configure option for 403 redirects on a
>> database level.
>> You might consider storing that url inside the _security object instead.
>> Otherwise, if you would have many design documents with such a redirect
>> url specified it is not clear which one to choose.
>>
>> Greetings
>> Johannes
>>
>>
>

Mime
View raw message