[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
- Subject: Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)
- From: "Joshua D. Drake" <..hidden..>
- Date: Mon, 01 Oct 2007 17:01:47 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris Travers wrote:
> In going to native DB accounts, one of the difficulties we have to resolve
> is how to effectively authenticate serial requests. The major problem has
> to do with how the password to the database is stored. I am going to
> suggest that we move to using HTTP authentication as the primary mechanism
> of authentication and automate this from the login screen where possible
> using Javascript. A secondary method could be offered where the passwords
> are stored in the db, but this has more serious security concerns associated
> and therefore I would suggest that we do not go that route.
>
> The major issue with storing the information in the session object is that a
> database superuser could review all passwords of all currently logged in
> users.
passwords will not be stored as plain text... they will be an encrypted
hash. I am not understanding the problem.
Joshua D. Drake
I don't think that this is acceptable as it both allows a set of
> trusted individuals to bypass security of the db and also undermines basic
> security mechanisms of PostgreSQL as a whole (which we rely on). If anyone
> has better ideas, I am open to them. However, this will also put us within
> striking distance of transparent single signon support (for things like
> Kerberos).
>
> The big disadvantage is that some browsers may handle authentication
> differently and we will have to address this.
>
> Best Wishes,
> Chris Travers
>
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Ledger-smb-devel mailing list
> ..hidden..
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
- --
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 24x7/Emergency: +1.800.492.2240
PostgreSQL solutions since 1997 http://www.commandprompt.com/
UNIQUE NOT NULL
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL Replication: http://www.commandprompt.com/products/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHAYprATb/zqfZUUQRAm42AKCVIh5IavIUPj9v/ZF2dtQpbTPCBACfbTDJ
SXuBw/yk6Vr53NHN5+ZcpbM=
=HGMY
-----END PGP SIGNATURE-----