httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: Auth*Authoritative
Date Wed, 16 Nov 2005 18:14:36 GMT


>>> On 11/16/2005 at 9:40 am, in message
<20051116164037.GG16335@scotch.ics.uci.edu>, justin@erenkrantz.com
wrote:
> On Tue, Nov 15, 2005 at 04:11:27PM -0700, Brad Nicholes wrote:
>>   One other thing, the authorization type (valid-user, user, group,
>> etc.) should be unique among all of the authorization modules.  In
other
>> words, only one authz module should be implementing valid-user not
every
>> module like in the 2.0 architecture.  This is the main reason why
you
>> now see the authz types like ldap-user, ldap-group, etc. implemented
in
>> mod_authnz_ldap rather than user and group all over again.  There
are a
>> couple of exceptions to this which are Group and File-Group
implemented
>> in both mod_authz_dbm and mod_authz_groupfile.  I looked into trying
to
>> fix this conflict only to find out that there is a reason for it and
it
>> works in this case (although still confusing).  Keeping the naming
>> unique doesn't necessarily solve the ordering problem if you do
>> something like
> 
> Huh.  I wonder if 'require' becomes the provider vector for
> authorization?  That is, each module registers a 'require' function
> provider that can then be invoked by an authorization module
processing
> the 'require' directive at request-time?  -- justin

+1 sounds very doable.  Without looking at it in detail, it sounds like
all that would need to be done is to remove the current directive
implementation for 'require' and reimplement it as a provider vector in
mod_auth_basic.  Or maybe there needs to be a new mod_authz module that
implements the 'require' directive since there isn't the same auth_type
classification for authorization like we have for authentication (basic,
digest, etc.).  I am assuming that the provider mechanism would handle
the ordering simply by the order that the 'require' directives appear
since we can't use the same syntax as the AuthXXXProvider because of the
need for authorization type parameters.

Brad

Mime
View raw message