incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Hirst <paul.hi...@sophos.com>
Subject RE: Authentication Question
Date Wed, 19 Oct 2011 13:52:35 GMT
>>> You could enable the proxy authentication handler;

>> 1. The roles don't appear to be included in the Token so how are they
>> validated? It sounds like the client could send whatever it liked? Only
>> the username is included in the token calculation.

> Why would youneed to validate roles? your app pass roles to couch, if
> they exists in db acls or validate functionserfect, if not who care?
>

I was going to use roles in a validate function to check who was allowed
to write to the database. This would mean I could tie it into the roles
which exist on the existing system. However it seems I can't do that
since they aren't validated. For example, a user could get told
about the following headers from the authentication server. Eg:

Username: bob
Roles: user
Token: <some opaque string>

It could then talk to the couchdb server using

Username: bob
Roles: _admin
Token: <same opaque string>

The couch server would validate the Username against the Token and
believe everything is fine but the user has gained admin rights they
shouldn't have.

I think for my purposes I can distil all real users down to the same couch
username and use that in validation functions and ignore roles entirely
but it seems a bit of a shame.

Thanks for the suggestions. At least I think I can press on now with
what I was trying to achieve.

Sophos Limited, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 991 2418 08.

Mime
View raw message