On Mon, Nov 16, 2009 at 7:14 AM, Chris Anderson <[email protected]> wrote: > > The easiest way right now is to use a proxy like Apache httpd with > rewrite configuration. > > One place to look is the Ubuntu One source code: > > https://code.launchpad.net/~sil/desktopcouch/plaintext-auth-for-u1 > > There's also some stuff on the wiki: > > http://wiki.apache.org/couchdb/Authentication_and_Authorization
Indeed I was about to ask the same things, though I'm more interested in authenticating applications than humans. For that purpose so far we have granted access without authentication via a vpn connecting only trusted machines, which is the laziest and most effective setup, since it seems to me that all other authentication/authorization methods are too heavy for applications: - if it's plain text we can't afford to setup https for any request - cookie based doesn't protect from reply attacks o stolen cookies, for what I've seen, and https is again needed - about ouath, I'm still trying to understand how it's used in couchdb, it may be the solution but I've no idea how to setup it and if any request is signed differently or it's just a like cookie granting access, so we must again use https. In an ideal world I think that for applications the best solution is giving the client to: - sing each request with a shared secret (perhaps session based in order not to make it live long), if you care just about authorization - encrypt the whole request (query string & post data) and response if we need also confidentiality bye -- Fabio Forno, Ooros srl jabber id: [email protected]
