[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Subject: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
From: "Joshua D. Drake" <..hidden..>
Date: Tue, 02 Oct 2007 14:07:41 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ashley J Gittins wrote:
> As I understand it (and I am pretty likely to get this wrong so feel free to 
> point that out) the only reason we have to send the user/pass on every http 
> request is because of the change to using postgresql to authenticate every 
> request (ie, server-side, LSMB logs into psql as the actual user), therefore 
> requiring the password to do so.
> 
> I remember trying to make the point some time ago that maybe LSMB should 
> connect as it's own user, then use postgres' role-switching abilities to 
> become the connected user after connection. As I understand it this can be 
> done without having to supply the user's password.

Are you talking about set session authorization?

> 
> Then, you have the advantage of not needing the plaintext password for every 
> request (since LSMB can track a list of valid sessions and logs into psql 
> as "itself"), and we can still use per-role access restrictions on tables etc 
> in psql, since lsmb will switch roles to that user to perform data 
> operations.
> 

> Additionally, I think using http-auth would be a step backwards, given that 
> some browsers are pretty unpredictable with the credentials (tell me a way to 
> make a browser reliably "forget" credentials? afaik, there isn't one)

Yes there is. You close the browser. :)

Joshua D. Drake



- --

      === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564   24x7/Emergency: +1.800.492.2240
PostgreSQL solutions since 1997  http://www.commandprompt.com/
			UNIQUE NOT NULL
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL Replication: http://www.commandprompt.com/products/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHArMdATb/zqfZUUQRApzpAJ0T4WpMByWGxokIUS+q9TQg3MdUjgCfQeiz
84NURgL7zqb/bpiAmnUPVO8=
=XlJa
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Travers

References:
- Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Travers
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: The Anarcat
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Travers
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Ashley J Gittins

Prev by Date: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Next by Date: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Previous by thread: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Next by thread: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Index(es):
- Date
- Thread