Experimental support for Authenticated databases #147

Open
wants to merge 1 commit into
from

2 participants

@nnarhinen

This commit reads authorization info from the Servlet Request by parsing the
Authorization-header. The authorization information is then passed along to
Database to be used in indexing requests from database

This PR tries to solve issue #79

@nnarhinen nnarhinen Experimental support for Authenticated databases
This commit reads authorization info from the Servlet Request by parsing the
Authorization-header. The authorization information is then passed along to
Database to be used in indexing requests from database
14bc126
@rnewson
Owner

I think this is the wrong approach. I've sketched what I think it ought to look like here (http://friendpaste.com/1J8edQNtYJWeJpIa2hxoaV). Specifically, we teach Jetty that it needs to authenticate to couchdb. I haven't completed the CouchDBUserRealm class yet. The authenticate method would call /_session or something.

Perhaps even that is wrong, though. It would be simple to set up separate authentication for couchdb-lucene and this seems easier to reason about security issues. I find it difficult to be happy about proxying usernames and passwords back and forth like this.

@rnewson
Owner

sidenote: couchdb-lucene should be packaged as a proper WAR file, and then authenticate to it goes into web.xml, where it belongs, and becomes the deployers decision on how to secure it. If c-l also ships with a module that allows authentication against couchdb itself, then that just gives more options without forcing anyone's hand.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment