[4244] in WWW Security List Archive
Web Server Database Access Control
daemon@ATHENA.MIT.EDU (mark.e.von.weihe)
Mon Feb 3 15:07:13 1997
To: paul friedrichs <paul@mnsinc.com>
Cc: www-security <www-security@ns2.rutgers.edu>
From: "mark.e.von.weihe" <mark.e.von.weihe@ac.com>
Date: 3 Feb 97 2:18:42
Errors-To: owner-www-security@ns2.rutgers.edu
This is the preamble of an RFC-1341 encoded, mixed message.
---- next item ----
Content-Type: Text/Plain
I don't think you're missing anything. There doesn't seem to be a convenient
way to extract anything like a user ID from the client certificate. In the NS
Enterprise server, the certificate is available via NSAPI or CGI environmental
variable, but it looks like we have to do the decoding and parsing ourselves.
This gives you the chance to work with SSLRef or SSLeay, unless someone's
written a server plugin or friendly API for this.....
Mark
__________________________________________________________________________________________________________________________________________________________________________________________________________________
To: www-security @ ns2.rutgers.edu @ internet
cc: (bcc: Mark E. Von Weihe)
From: paul @ mnsinc.com (Paul Friedrichs) @ internet
Date: 02/01/97 04:12 AM
Subject: Web Server Database Access Control
___________________________________________________________________________________________________________________________________________________________________________________________________________________
1) I am trying to control access to a database using a) the database's
own ACLs and b) database user IDs provided by a web front end that
authenticates users using only SSL/TLS client certificates. The
certificates would refer to users by their database user IDs. It seems
to me there is not yet any means for a web server to pass user ID to the
database without forcing the user to log in after connecting to the web
server. Am I missing something?
Thanks,
Paul
---- next item ----
Content-Type:Text/Plain; Name="ATT01"
<HTML><BODY>
<DT>1) I am trying to control access to a database using a) the database's
own ACLs and b) database user IDs provided by a web front end that authenticates
users using only SSL/TLS client certificates. The certificates would refer
to users by their database user IDs. It seems to me there is not yet any
means for a web server to pass user ID to the database without forcing
the user to log in after connecting to the web server. Am I missing something?</DT>
<DT> </DT>
<DT>Thanks,</DT>
<DT> </DT>
<DT>Paul</DT>
</BODY>
</HTML>
---- next item ------
