> From: sterling [mailto:[EMAIL PROTECTED]]
> Hi -
>
> IMHO, there is no apache dependency that requires auth and authz to be in
> the same module.... usually, it is just logical that the application
> handle both phases - but that is on the module writer.
Yes, but the choice of doing group lookups using a file/db/whatever
is tied in with the authz phase. I'd like to be able to reuse the
check if a user (belonging to a certain group) is authorized to
access a certain url.
> On Fri, 7 Sep 2001, Sander Striker wrote:
>
>> Hi,
>>
>> I've been going through the modules/aaa directory
>> and found that modules there seem to implement both
>> authentication and authorization.
>>
>> IMO this should be split. Auth and authz are
>> completely different things and it would be nice
>> to have different modules to do authentication
>> in a different way, but still utilize the same
>> authorization method.
>>
>> To accomplish this, an extra field would be needed
>> in request_req (and that's probably not going
>> to happen): request_req->groups, which holds
>> a string with all the groups the authenticated
>> user belongs to.
>
> welp, authorization does NOT imply groups... it could require all sorts
> of information to authorize.
> Authentication is simply 'who is this person' and authorization is 'are
> they authorized to receive the requested location'.
Yes, but when looking at the aaa modules, all of them seem to authenticate
the user in check_user_id (which is good). In auth_checker, the group is
looked up and then authz is checked. The last part is highly duplicated
(I don't care too much about that). What I would like to see is that a
_common_ thing as group lookups be seperated out of the authz part. Ie,
let there be a hook get_user_groups(?), which is invoked when
ap_get_user_groups is called.
> Hence, the authorization phase (read auth_checker) is responsible for
> reading the requirements and trying to validate them (given usually a
> valid-user in the r->user field). If that means check if they are part of
> a group, so be it. If it means check if they have red hair - that works
> too.
Doh! :)
> Group lookup is NOT part of authentication IMHO. Many authz solutions
> have nothing to do with 'groups'.
Although many do not, it is common (you only have to look at the aaa
modules).
>> Or, there could be a new hook which is used to
>> lookup the groups a user belongs to, or, if
>> a user belongs to a certain group. This hook
>> will be called whenever the framework equivalent
>> of this function is called.
>>
>> Thoughts?
>>
>> Sander
>>
>> /me hides from the 'core stabilizers' that probably
>> are going to hate me for bringing this up.
>
>
> I don't think this should be skipped because of 'stabilization'. I think
> it should be skipped because it is not the right architecture.
I think I agree with you when it comes to adding fields to request_req, but
to introduce a new hook should be ok IMO. But, this won't be touched anyhow
very quickly, looking at the ~'hold off until 2.1' reactions.
> sterling
Sander
