Return-Path: 
 <dev-return-32544-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 24972 invoked by uid 500); 27 Aug 2002 16:51:06 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 24958 invoked from network); 27 Aug 2002 16:51:06 -0000
X-Authentication-Warning: cancer.clove.org: jerenk set sender to
 jerenkrantz@apache.org using -f
Date: Tue, 27 Aug 2002 09:51:09 -0700
From: Justin Erenkrantz <jerenkrantz@apache.org>
To: dev@httpd.apache.org
Subject: Re: authentication rewrite
Message-ID: <20020827165109.GB21273@apache.org>
Mail-Followup-To: Justin Erenkrantz <jerenkrantz@apache.org>,
	dev@httpd.apache.org
References: <20020827064432.GY21273@apache.org>
 <3D52BACF00010935@mta05.san.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3D52BACF00010935@mta05.san.yahoo.com>
User-Agent: Mutt/1.4i
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

On Tue, Aug 27, 2002 at 10:12:43AM -0400, john@sterls.com wrote:
> than the current AAA modules.  In a 'require group' world, it is very nice
> to abstract this stuff out so backends can be re-used, and apache specific
> logic can be centralized - as you have proposed.  But it will be harder
> to plug in backends that try to do more with requirements (of which there
> really aren't many)- which is probably fine.

Without seeing use cases, it's hard to know what people want.  For
now, I can only go off of what we have now.

(I'm hoping that people who write third-party auth engines speak
up now and point out how this API could make it better for them if
it only did XYZ.)

> 1) It looks like the 'AuthProvider' does not allow you to stack auth handlers.
>  I would be cool (if not critical :) if it was more of an AddAuthProvider
> - then the basic auth handler loops through all providers that are added.
>  This way you could configure ldap and anon for a given location.
>
> 2) If you do allow stacking of providers like this, you need to also provide
> the ability to specify which one is authoritative (if any).

Yeah, you hit the problem with stacking - authoritative.  I'm not
sure how useful having multiple backends could be.  I'd almost
suggest that something like a PAM backend would be much better and
allows a fairly standard configuration.  (I know Dirk has a PAM
module somewhere.)  That removes the stacking component entirely if
we supported PAM.

But, yeah, I think we could implement multiple providers ourselves
if we wanted to.

> 3) maybe i'm missing something, but why did you rewrite ap_note_basic_auth_failure
> and ap_get_basic_auth?  assuming there was a reason, maybe a comment in
> the code would help clarify it.

I want to toss ap_note_basic_auth_failure and ap_get_basic_auth.
That code doesn't belong in the server/protocol.c.  Ideally, any
modules that were using these functions could just implement a
backend module.  But, I don't think we want to have those exported
going forward - the only reason they are exported is because our API
sucked.  -- justin