httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Davies" <>
Subject Authz modules and User group lookups
Date Wed, 17 Jun 2009 13:06:13 GMT
Hello everyone,


First, some background.


I'm currently planning out my own Authorization module (mod_resource_authz)
which allows a webmaster to deny or grant access to a resource based on the
method used. It simply acts as a provider to other modules which implement
the reading of a resource metadata to determine if the user is allowed
access to the resource. The module creates a table consisting of allowed
methods which are merged together from a list of allowed methods by user
type. For example:


World Permissions: GET

Group Permissions: GET PUT 

Owner Permissions: GET PUT POST DELETE


If the Username is the same as the resources owner name, then the Owner
permissions are merged with the world permissions to create a table of
allowed permissions. Authorization is granted if the request method is an
entry in the allowed methods table.


As I say, the module will act as a provider delegating the collection of
resource metadata (via directives in htaccess files, .meta files or DBD).


All seems fine so far on paper, and nothing too complicated.


My problem comes from attempting to determine if the user is a member of a
specific group. If been looking around, and it doesn't appear that the user
group membership lookups have been separated out from their individual
modules. For example, mod_authz_groupfile doesn't provide an interface my
module can use to lookup if a user is a member of a group. Neither does
mod_authz_dbm, etc; All these modules do is provide authorization is a user
is simply a member of a group. 


Does anyone have any suggestions, or am I best implementing a separate
provider hook in my module that delegate group membership lookups to other
modules (e.g. mod_resource_authz_grplkup_file,
mod_resource_authz_grplkup_dbm, mod_resource_authz_grplkup_dbd). A simple
interface would suffice, e.g. provide the username, returns an array of
groups the user is a member of.


Has anyone else come across a similar situation, and if so, do you have any
suggestions? Does anyone eles ehave any suggestions or improvement on the
approach I am taking to this problem?


Thanks for your time.




Ben Davies

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message