Geek Answers Handbook

Protecting document-style databases (MongoDb, CouchDb, RavenDb) to access the client (browser)

Document databases that support JSON access via REST-style HTTP seem ideal for supporting AJAX-rich applications where the browser makes direct calls to the database, bypassing the traditional web server / application components. An example of this is getting user preferences after user authentication. (The BBC homepage can be a good example of this, before a crash under load!)

The problem with this scenario is related to the security problem - if the user is authenticated using a web server (for example, authentication of basic forms), how this identifier is transferred to the document database. Is it the only response to the proxy server for all queries to the database through the web server in any case - for example, to protect the document database so that there is no direct external access?

This seems to make the most sense and is the easiest to implement, but I was wondering if anyone has any experience and / or advice on using a dbs document in a heterogeneous environment?

+6
mongodb couchdb nosql ravendb
source share
2 answers

This is probably different in every database you specify. Here's how it works in CouchDB.

CouchDB lets you manage users and roles.

You can use the validate_doc_update function in your project documents to restrict document creation / updating. For example, you can write a confirmation that refuses to update the document to anyone except its author.

To limit who can read documents from the database, you can edit the document /db_name/_security and specify users or roles.

However, I do not think that you can make read access more detailed (that is, allow the user to read only the documents they created).

To achieve this, you must place CouchDB behind a proxy server and use document serving views for authenticated users. You can still use CouchDB user management. The proxy server simply hides direct access to the database.

For more information, check out the review on the CouchDB wiki , in the book Relax and this short screencast .

+1
source share

Well, I only have experience with CouchDB, but I hope I can help you nonetheless.

CouchDB has a built-in validation process, you write your validation rules in javascript and get access to the group the current user is in. All this is handled by CouchDB basically, you don’t have to care about how you get the login information.

+1
source share

More articles:


All Articles