httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@apache.org
Subject Re: auth stuff still broken
Date Tue, 17 Sep 2002 18:40:44 GMT
On Tue, 17 Sep 2002, Greg Stein wrote:

> On Tue, Sep 17, 2002 at 10:26:02AM -0700, Aaron Bannert wrote:
> > On Tue, Sep 17, 2002 at 01:00:44PM -0400, Ryan Bloom wrote:
> > > > Does that make any sense?  I'm certain you will have users misconfigure
> > > > the 'backstop' modules (_default flavors) resulting in insecure servers.
> > > > If the 'backstop' _default auth handlers are always loaded as part of
the
> > > > core mod_auth, users will have far fewer problems.
> > > 
> > > I almost like this, but I wouldn't put it mod_auth.  I would put them in
> > > the core.  The core server has always been the location for our default
> > > functions.
> > 
> > +1 for the core, or at least a module that's always statically compiled
> > (which is easy to do with the .m4 macros we have).
> 
> Well... as long as "core" means modules/http/.
> 
> But since our running of auth hooks comes from server/, then this stuff
> could prolly go there as well. IMO, it sucks that our "core" server knows
> about HTTP authentication and authorization.
> 
> In general: sure, this stuff makes some sense in the core rather than
> default modules.

It should be in server, please.  Remember that many protocol modules use
those same hooks to do their authentication.  Perhaps this re-org should
also try to abstract that stuff out.  But, regardless of whether the
HTTP-part of the authenticatio is abstracted, please leave the hooks in
the /server directory.  At some point, it would be really nice to be able
to build Apache without the /http module.

Ryan

_______________________________________________________________________________
Ryan Bloom                        	rbb@apache.org
550 Jean St
Oakland CA 94610
-------------------------------------------------------------------------------


Mime
View raw message