incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Hirst <paul.hi...@sophos.com>
Subject RE: Authentication Question
Date Wed, 19 Oct 2011 11:57:31 GMT
> -----Original Message-----
> From: Robert Newson [mailto:rnewson@apache.org]
> Sent: 19 October 2011 11:04
> To: user@couchdb.apache.org
> Subject: Re: Authentication Question
>
> You could enable the proxy authentication handler;

[snip]

I read about that but it wasn't clear to me how I could use it. Maybe if I go through how
I imagine it someone will tell me where I have got it wrong.

Assuming I have a pre-existing system which has the concept of sessions using cookies and
has it's own login page.

First make an Ajax request to that system requesting the three headers I need to send to couch
(ie X-Auth-CouchDB-UserName, X-Auth-CouchDB-Roles and most importantly X-Auth-CouchDB-Token).
The token can be generated using the same secret key which has been configured on the couch
server.

This request could somehow send the user to the login page if they aren't already logged in.
If they have a pre-existing session it can just return the appropriate information.

>From then on I can make Ajax requests to the couch server and provided I manually send
the three headers each time, the couch server can authenticate me and I can use the userCtx
role information in validation function to prevent unauthenticated writes.

What I don't understand (or find odd) is:

1. The roles don't appear to be included in the Token so how are they validated? It sounds
like the client could send whatever it liked? Only the username is included in the token calculation.
2. How do I get round cross domain problems for the initial step of 'get me the 3 headers
I need'? I have some thoughts on how to do this but if there are any good suggestions I'd
love to hear them.
3. I have to send the headers every time round. Is there any way of requesting a cookie from
couch using these credentials or should I just not be lazy?

I'm most worried about #1.

Thanks.

Sophos Limited, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 991 2418 08.

Mime
View raw message