httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Neulinger <>
Subject Re: Thoughts on Auth
Date Thu, 29 Aug 1996 22:26:17 GMT
>> the "relating users to permissions" part of auth and the "verifying the
>> identity" part.
>No, there isn't, unfortunately. Way back when wrote mod_digest, I tried. I
>really did. The problem is that we store passwords crypted. Which doesn't
>work for digest auth. And doesn't work for any of the other
>challenge/response auth mechanisms out there. So I decided it wasn't worth
>reworking the API for something that wouldn't be useful anyhow.

What does having the user's password have to do with "relating users to
permissions"? The authentication of identity is completely really doesn't
have anything to do with choosing whether a user should have access to

I think separating the two distinctly would make alot of sense. In a way,
it already is, when people use the group stuff from the main auth mod, and
use another auth mod for the user checking that doesn't do groups itself,
it is essentially two separate tasks.

I would however suggest that some manner of letting a future "access
checking" phase know that "we don't know who this user is", or "this is an
unverified user" which would help to support things like anonymous
authorizations, etc.

-- Nathan

Nathan Neulinger                  Univ. of Missouri - Rolla
EMail:                  Computing Services
WWW:      SysAdmin:

View raw message