On Wed, 10 Jul 2002, Pier Fumagalli wrote:
> Dirk, since you're working on a patch for Auth, would it be possible to have
> the groups list somewhere in the request structure? It would be great with
> web applications, where we can match groups with roles (therefore allowing
> authentication to be processed by apache entirely)...
Well - r->user, or any r->credentials are valid there; as they come from
the protocol; i.e. are part of the request.
The group information can, depending on protocol, come from more than one
source
-> provided with the credentials (e.g. like the 'account'
dimension in ftp or your kerberos realm).
-> a user can belong to N groups as returned by an
all knowing auth system when asked.
-> a check if the user was in a list of M groups can have
yieled that he was a member of P groups which is a
subset of M.
Once you add group; there are other dimensions too; i.e. think of the
login.conf resources on BSD, a much more mature framework like that on
mainframes, and so on.
So this is perhaps a bit more complex than just that.
What is it you would feel as most useful in the web application world -
could you elaborate ?
Dw.
