Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
From: "Sander Striker" <striker@apache.org>
To: <dev@httpd.apache.org>
Subject: RE: Authentication and Authorization
Date: Fri, 7 Sep 2001 16:05:19 +0200
Message-ID: <JLEGKKNELMHCJPNMOKHOAELEEIAA.striker@apache.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <3B98D081.9BBD0176@sharp.fm>
Importance: Normal

> Sander Striker wrote:
> 
> > IMO this should be split.  Auth and authz are
> > completely different things and it would be nice
> > to have different modules to do authentication
> > in a different way, but still utilize the same
> > authorization method.
> 
> I'm not sure if splitting them will accomplish this though. From the
> LDAP auth stuff, the authentication phase and the authorisation phase
> are separate, but share common configuration parameters (LDAP bind info,
> for example), so splitting them wouldn't make much sense.

In all the modules the phases are seperate, because they all hook
check_user_id and check_user_access.  There is no way however to
determine the group a user is in from check_user_id in a non module
specific way.  I would like _that_ to be possible, since now, the
authz part (check_user_access) is doing stuff auth should do: checking
for group membership.
 
> Also - there isn't a clear line over what constitutes an authentication
> token - again, the LDAP authenticator converts a provided username into
> a DN, which the authorisation phase uses to apply to the require
> directives. If you have to mix up the different modules, you would need
> to make sure they are all talking the same language (so to speak).

Yes, but I don't see that as a problem.  Right now, the same is
true for the FakeBasicAuth feature of mod_ssl which provides a one line
DN as the username.

> Regards,
> Graham

Sander