[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)

Subject: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
From: "Joshua D. Drake" <..hidden..>
Date: Mon, 01 Oct 2007 17:01:47 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Travers wrote:
> In going to native DB accounts, one of the difficulties we have to resolve
> is how to effectively authenticate serial requests.  The major problem has
> to do with how the password to the database is stored.  I am going to
> suggest that we move to using HTTP authentication as the primary mechanism
> of authentication and automate this from the login screen where possible
> using Javascript.  A secondary method could be offered where the passwords
> are stored in the db, but this has more serious security concerns associated
> and therefore I would suggest that we do not go that route.
> 
> The major issue with storing the information in the session object is that a
> database superuser could review all passwords of all currently logged in
> users.

passwords will not be stored as plain text... they will be an encrypted
hash. I am not understanding the problem.

Joshua D. Drake

  I don't think that this is acceptable as it both allows a set of
> trusted individuals to bypass security of the db and also undermines basic
> security mechanisms of PostgreSQL as a whole (which we rely on).  If anyone
> has better ideas, I am open to them.  However, this will also put us within
> striking distance of transparent single signon support (for things like
> Kerberos).
> 
> The big disadvantage is that some browsers may handle authentication
> differently and we will have to address this.
> 
> Best Wishes,
> Chris Travers
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Ledger-smb-devel mailing list
> ..hidden..
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel


- --

      === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564   24x7/Emergency: +1.800.492.2240
PostgreSQL solutions since 1997  http://www.commandprompt.com/
			UNIQUE NOT NULL
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL Replication: http://www.commandprompt.com/products/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHAYprATb/zqfZUUQRAm42AKCVIh5IavIUPj9v/ZF2dtQpbTPCBACfbTDJ
SXuBw/yk6Vr53NHN5+ZcpbM=
=HGMY
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Travers

References:
- Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
  - From: Chris Travers

Prev by Date: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Next by Date: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Previous by thread: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Next by thread: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
Index(es):
- Date
- Thread