incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jesse Hallett <>
Subject Re: Couchdb with OpenSSO
Date Mon, 19 Oct 2009 17:09:54 GMT
Do you mean that users could bypass Apache by accessing CouchDB directly?
For example, by connecting to port 5984?  If that is the problem you should
configure CouchDB to bind to the local interface so that it refuses
connections from other machines.  Then set up Apache as a reverse proxy to
forward requests to CouchDB.  That way all connections to CouchDB will be
forced through the Apache authentication step.

If the problem is setting up more granular permissions than a simple allow
or deny for the whole CouchDB server I think that mod_auth will give you
some options.  There is probably a way to handle authorization differently
for different request paths.  Or it might be possible to rewrite OpenSSO
credentials to basic auth headers in Apache.  That way you could map OpenSSO
users to CouchDB groups to make use of CouchDB's internal permissions

You could of course modify the CouchDB code instead.  I'm sure the devs
would appreciate patches for new features.  However I'm pretty certain that
that is the hard way.

On Oct 19, 2009 9:21 AM, "Suhail Ahmed" <> wrote:


Unfortunately, apache mod_auth is not an option with me because my
requirements are to provide security in depth and since Couchdb still
exposes its rest interfaces independent of Apache, I need to lock that down
in a more integration architecture.


On Mon, Oct 19, 2009 at 1:13 PM, Miles Fidelman

> Suhail Ahmed wrote: > >> Hi, >> >> I am looking to replacing my
content management engin...

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message