From user-return-18372-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org Wed Oct 19 12:56:10 2011 Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 02877973C for ; Wed, 19 Oct 2011 12:56:10 +0000 (UTC) Received: (qmail 20044 invoked by uid 500); 19 Oct 2011 12:56:08 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 20006 invoked by uid 500); 19 Oct 2011 12:56:08 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 19998 invoked by uid 99); 19 Oct 2011 12:56:08 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Oct 2011 12:56:08 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of bchesneau@gmail.com designates 209.85.215.180 as permitted sender) Received: from [209.85.215.180] (HELO mail-ey0-f180.google.com) (209.85.215.180) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Oct 2011 12:56:03 +0000 Received: by eyg5 with SMTP id 5so2056960eyg.11 for ; Wed, 19 Oct 2011 05:55:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=A0z18enInqzk+3IeXq3yNp5bXmQ5U25XuZE+2DvSuPE=; b=pWe00jc/Al45Q4QMeZgrUYBYDA1QsOgdcNfRdF1TlFaAcbh9TVYnxEzcNbDZP7/WKg 6uy6inb8kjnvQ4LmNsbL6L1A5Tsjs3gT1J9mO0zKQr4IpMMp+EFAkSDXmO3EpskQWcUB inv5KzSsvr9mTJq/jgdwTr6P/S8kiwU6N6nWE= MIME-Version: 1.0 Received: by 10.14.7.145 with SMTP id 17mr811134eep.158.1319028941889; Wed, 19 Oct 2011 05:55:41 -0700 (PDT) Received: by 10.14.189.16 with HTTP; Wed, 19 Oct 2011 05:55:41 -0700 (PDT) In-Reply-To: <36E79CEC5BFB8E4D9763C4DEB9B1163C38970AA34A@UK-EXCHMBX1.green.sophos> References: <36E79CEC5BFB8E4D9763C4DEB9B1163C38970AA243@UK-EXCHMBX1.green.sophos> <4E9EA1A4.3050602@gmail.com> <36E79CEC5BFB8E4D9763C4DEB9B1163C38970AA34A@UK-EXCHMBX1.green.sophos> Date: Wed, 19 Oct 2011 14:55:41 +0200 Message-ID: Subject: Re: Authentication Question From: Benoit Chesneau To: "user@couchdb.apache.org" Content-Type: multipart/alternative; boundary=00504502d41787a04004afa65bbc --00504502d41787a04004afa65bbc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Wednesday, October 19, 2011, Paul Hirst wrote: >> -----Original Message----- >> From: Robert Newson [mailto:rnewson@apache.org] >> Sent: 19 October 2011 11:04 >> To: user@couchdb.apache.org >> Subject: Re: Authentication Question >> >> You could enable the proxy authentication handler; > > [snip] > > I read about that but it wasn't clear to me how I could use it. Maybe if = I go through how I imagine it someone will tell me where I have got it wrong. > > Assuming I have a pre-existing system which has the concept of sessions using cookies and has it's own login page. > > First make an Ajax request to that system requesting the three headers I need to send to couch (ie X-Auth-CouchDB-UserName, X-Auth-CouchDB-Roles and most importantly X-Auth-CouchDB-Token). The token can be generated using th= e same secret key which has been configured on the couch server. > > This request could somehow send the user to the login page if they aren't already logged in. If they have a pre-existing session it can just return the appropriate information. > > From then on I can make Ajax requests to the couch server and provided I manually send the three headers each time, the couch server can authenticat= e me and I can use the userCtx role information in validation function to prevent unauthenticated writes. > > What I don't understand (or find odd) is: > > 1. The roles don't appear to be included in the Token so how are they validated? It sounds like the client could send whatever it liked? Only the username is included in the token calculation. > 2. How do I get round cross domain problems for the initial step of 'get me the 3 headers I need'? I have some thoughts on how to do this but if there are any good suggestions I'd love to hear them. > 3. I have to send the headers every time round. Is there any way of requesting a cookie from couch using these credentials or should I just not be lazy? > > I'm most worried about #1. Why would youneed to validate roles? your app pass roles to couch, if they exists in db acls or validate functionserfect, if not who care? -be,o=EEt > > Thanks. > > Sophos Limited, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom. > Company Reg No 2096520. VAT Reg No GB 991 2418 08. > --00504502d41787a04004afa65bbc--