httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: mod_access vs mod_authz_host
Date Wed, 09 Nov 2005 21:25:20 GMT
On Wednesday 09 November 2005 17:28, Justin Erenkrantz wrote:
> --On November 8, 2005 7:21:54 PM -0500 Geoffrey Young
>
> <geoff@modperlcookbook.org> wrote:
> > you really think so?  I think it's mistakenly given an authz namespace,
> > giving users the impression it steps in after authentication, or does
> > something else specifically based on r->user.  at least any users who
> > have bothered to wrap their heads around the entire aaa idiom and phase
> > separations.
>
> It runs with the access_checker/auth_checker hook.

That's two hooks of course, and not even contiguous.

> Which is an 
> authorization hook.  (So, yes, this implies that I think the
> access_checker/auth_checker split is off-kilter - they should really be the
> same, I think.)

That would lose Satisfy [Any|All].  We could rebuild the functionality on
AuthAuthoritative logic, but that's harder.

> But, I'll admit that mod_access_host isn't entirely bad.

Good.

> However, it'd be 
> really nice to re-do the second half of our auth system,

Agreed, authz isn't pretty.

OTOH, mod_[access|authz](_host)? is well clear of authz ugliness.
Why chuck away the bit that definitely doesn't want fixing?

> but I worry that 
> Sander's completely forgotten about his promises to do that.  =)  -- justin

Someone'll do it.  Eventually.  But not in time for 2.2.

-- 
Nick Kew

Mime
View raw message