httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <>
Subject Re: authentication rewrite
Date Tue, 27 Aug 2002 16:51:09 GMT
On Tue, Aug 27, 2002 at 10:12:43AM -0400, wrote:
> than the current AAA modules.  In a 'require group' world, it is very nice
> to abstract this stuff out so backends can be re-used, and apache specific
> logic can be centralized - as you have proposed.  But it will be harder
> to plug in backends that try to do more with requirements (of which there
> really aren't many)- which is probably fine.

Without seeing use cases, it's hard to know what people want.  For
now, I can only go off of what we have now.

(I'm hoping that people who write third-party auth engines speak
up now and point out how this API could make it better for them if
it only did XYZ.)

> 1) It looks like the 'AuthProvider' does not allow you to stack auth handlers.
>  I would be cool (if not critical :) if it was more of an AddAuthProvider
> - then the basic auth handler loops through all providers that are added.
>  This way you could configure ldap and anon for a given location.
> 2) If you do allow stacking of providers like this, you need to also provide
> the ability to specify which one is authoritative (if any).

Yeah, you hit the problem with stacking - authoritative.  I'm not
sure how useful having multiple backends could be.  I'd almost
suggest that something like a PAM backend would be much better and
allows a fairly standard configuration.  (I know Dirk has a PAM
module somewhere.)  That removes the stacking component entirely if
we supported PAM.

But, yeah, I think we could implement multiple providers ourselves
if we wanted to.

> 3) maybe i'm missing something, but why did you rewrite ap_note_basic_auth_failure
> and ap_get_basic_auth?  assuming there was a reason, maybe a comment in
> the code would help clarify it.

I want to toss ap_note_basic_auth_failure and ap_get_basic_auth.
That code doesn't belong in the server/protocol.c.  Ideally, any
modules that were using these functions could just implement a
backend module.  But, I don't think we want to have those exported
going forward - the only reason they are exported is because our API
sucked.  -- justin

View raw message