httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sander Striker" <stri...@apache.org>
Subject RE: Authentication and Authorization
Date Fri, 07 Sep 2001 14:05:19 GMT
> Sander Striker wrote:
> 
> > IMO this should be split.  Auth and authz are
> > completely different things and it would be nice
> > to have different modules to do authentication
> > in a different way, but still utilize the same
> > authorization method.
> 
> I'm not sure if splitting them will accomplish this though. From the
> LDAP auth stuff, the authentication phase and the authorisation phase
> are separate, but share common configuration parameters (LDAP bind info,
> for example), so splitting them wouldn't make much sense.

In all the modules the phases are seperate, because they all hook
check_user_id and check_user_access.  There is no way however to
determine the group a user is in from check_user_id in a non module
specific way.  I would like _that_ to be possible, since now, the
authz part (check_user_access) is doing stuff auth should do: checking
for group membership.
 
> Also - there isn't a clear line over what constitutes an authentication
> token - again, the LDAP authenticator converts a provided username into
> a DN, which the authorisation phase uses to apply to the require
> directives. If you have to mix up the different modules, you would need
> to make sure they are all talking the same language (so to speak).

Yes, but I don't see that as a problem.  Right now, the same is
true for the FakeBasicAuth feature of mod_ssl which provides a one line
DN as the username.

> Regards,
> Graham

Sander


Mime
View raw message