Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 67616 invoked by uid 500); 10 Jul 2002 21:29:17 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 67592 invoked from network); 10 Jul 2002 21:29:17 -0000 X-Curiosity: Killed the Cat X-Huis-aan-Huis-deur-sticker: nee-nee X-Spam: no X-Passed: MX on Gandalf.WebWeaving.org Wed, 10 Jul 2002 23:27:50 +0200 (CEST) and masked X-No-Spam: Neither the receipients nor the senders email address(s) are to be used for Unsolicited (Commercial) Email without the explicit written consent of either party; as a per-message fee is incurred for inbound and outbound traffic to the originator. Date: Wed, 10 Jul 2002 23:27:50 +0200 (CEST) From: dirkx@covalent.net X-X-Sender: dirkx@mobile.webweaving.org To: dev@httpd.apache.org Subject: Re: Auth - how much legacy to preserve ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N On Wed, 10 Jul 2002, Pier Fumagalli wrote: > Dirk, since you're working on a patch for Auth, would it be possible to have > the groups list somewhere in the request structure? It would be great with > web applications, where we can match groups with roles (therefore allowing > authentication to be processed by apache entirely)... Well - r->user, or any r->credentials are valid there; as they come from the protocol; i.e. are part of the request. The group information can, depending on protocol, come from more than one source -> provided with the credentials (e.g. like the 'account' dimension in ftp or your kerberos realm). -> a user can belong to N groups as returned by an all knowing auth system when asked. -> a check if the user was in a list of M groups can have yieled that he was a member of P groups which is a subset of M. Once you add group; there are other dimensions too; i.e. think of the login.conf resources on BSD, a much more mature framework like that on mainframes, and so on. So this is perhaps a bit more complex than just that. What is it you would feel as most useful in the web application world - could you elaborate ? Dw.