couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: Authentication Question
Date Wed, 19 Oct 2011 12:55:41 GMT
On Wednesday, October 19, 2011, Paul Hirst <paul.hirst@sophos.com> wrote:
>> -----Original Message-----
>> From: Robert Newson [mailto:rnewson@apache.org]
>> Sent: 19 October 2011 11:04
>> To: user@couchdb.apache.org
>> Subject: Re: Authentication Question
>>
>> You could enable the proxy authentication handler;
>
> [snip]
>
> I read about that but it wasn't clear to me how I could use it. Maybe if I
go through how I imagine it someone will tell me where I have got it wrong.
>
> Assuming I have a pre-existing system which has the concept of sessions
using cookies and has it's own login page.
>
> First make an Ajax request to that system requesting the three headers I
need to send to couch (ie X-Auth-CouchDB-UserName, X-Auth-CouchDB-Roles and
most importantly X-Auth-CouchDB-Token). The token can be generated using the
same secret key which has been configured on the couch server.
>
> This request could somehow send the user to the login page if they aren't
already logged in. If they have a pre-existing session it can just return
the appropriate information.
>
> From then on I can make Ajax requests to the couch server and provided I
manually send the three headers each time, the couch server can authenticate
me and I can use the userCtx role information in validation function to
prevent unauthenticated writes.
>
> What I don't understand (or find odd) is:
>
> 1. The roles don't appear to be included in the Token so how are they
validated? It sounds like the client could send whatever it liked? Only the
username is included in the token calculation.
> 2. How do I get round cross domain problems for the initial step of 'get
me the 3 headers I need'? I have some thoughts on how to do this but if
there are any good suggestions I'd love to hear them.
> 3. I have to send the headers every time round. Is there any way of
requesting a cookie from couch using these credentials or should I just not
be lazy?
>
> I'm most worried about #1.

Why would youneed to validate roles? your app pass roles to couch, if they
exists in db acls or validate functionserfect, if not who care?

-be,oît




>
> Thanks.
>
> Sophos Limited, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP,
United Kingdom.
> Company Reg No 2096520. VAT Reg No GB 991 2418 08.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message