Do you mean that users could bypass Apache by accessing CouchDB directly? For example, by connecting to port 5984? If that is the problem you should configure CouchDB to bind to the local interface so that it refuses connections from other machines. Then set up Apache as a reverse proxy to forward requests to CouchDB. That way all connections to CouchDB will be forced through the Apache authentication step.
If the problem is setting up more granular permissions than a simple allow or deny for the whole CouchDB server I think that mod_auth will give you some options. There is probably a way to handle authorization differently for different request paths. Or it might be possible to rewrite OpenSSO credentials to basic auth headers in Apache. That way you could map OpenSSO users to CouchDB groups to make use of CouchDB's internal permissions systems. You could of course modify the CouchDB code instead. I'm sure the devs would appreciate patches for new features. However I'm pretty certain that that is the hard way. On Oct 19, 2009 9:21 AM, "Suhail Ahmed" <[email protected]> wrote: Thanks Unfortunately, apache mod_auth is not an option with me because my requirements are to provide security in depth and since Couchdb still exposes its rest interfaces independent of Apache, I need to lock that down in a more integration architecture. Cheers su./hail On Mon, Oct 19, 2009 at 1:13 PM, Miles Fidelman <[email protected]>wrote: > Suhail Ahmed wrote: > >> Hi, >> >> I am looking to replacing my existing content management engin...
