Re: [Gnumed-devel] GNUmed web interface - authentication

[Luke Kenneth Casson Leighton]

On Thu, Oct 7, 2010 at 7:54 PM, Sebastian Hilbert
<address@hidden> wrote:
>> I wonder if you considered using TLS client certificates to provide the
>> persistent identity?

 how would these result in authentication at the postgresql level?

 does postgresql have an authentication plugin which allows TLS client
certificates to be used?

 the problem richard is that the design of the web service is totally
unlike any other web service you will ever see in your life.  unlike
"normal" web service frameworks where the web service is the sole and
exclusive authenticated user that connects to the database, gnumed
uses postgresql "roles" to authenticate.

 as in - it is actually the job of the postgresql database, via the
postgres users and postgres passwords, to perform the user
authentication.  this is NOT normal practice in web frameworks:
typically the web framework has a database stuffed with usernames and
credentials (hashes of passwords) and the web _framework_ performs
authentication, having gained access to that database table with its
one and one only database authentication user+password.

 so any authentication replacement or modifications to the gnumed web
service MUST pass those credentials through - not to the web framework
- but actually TO POSTGRESQL.

 thus, if you want TLS client certificates, then it is NOT THE WEB
FRAMEWORK that must support TLS client certificate authentication, but
*POSTGRESQL* which must support TLS client certificate authentication.

 if you know how that is done, then an investigation can begin as to
how it can be integrated into the highly-specialised gnumed web
service.

l.