[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)




Hi Josh,

On Thu, 04.10.2007 at 11:03:24 -0700, Josh Berkus <..hidden..> wrote:
> Toni,
> > You have a username/password combination set for the application that
> > the application uses to request eg. authentication data from the
> > database. Alternatively, you leap and implement OpenID, which "solves"
> > all other problems for you.
> 
> This sort of a scheme works with application users stored in a table.  
> However, LedgerSMB desires to use *database users* (i.e. ROLES) so that the 
> same set of access restrictions can be maintained across 3rd-party 
> applications which connect to the database.

ok... maybe, but in this case, there's a design conflict between having
a uniform access method implemented within the database, and possible
deployment scenarios of an application utilizing this storage.
Personally, I find using SQL-Ledger behind an SSL reverse (rewriting)
proxy gateway attractive. This is a common usage pattern, as far as I
can see.

Has PostgreSQL some sort of a 'sudo' feature? That could solve the
problem along the lines of "does this username/password pair
authenticate? if yes, execute the following query under the rights of
the associated role".


Best,
--Toni++