[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> On Wed, 10 Jul 2002, Pier Fumagalli wrote:
>
>> Dirk, since you're working on a patch for Auth, would it be possible to have
>> the groups list somewhere in the request structure? It would be great with
>> web applications, where we can match groups with roles (therefore allowing
>> authentication to be processed by apache entirely)...
>
> Well - r->user, or any r->credentials are valid there; as they come from
> the protocol; i.e. are part of the request.
>
> The group information can, depending on protocol, come from more than one
> source
>
> -> provided with the credentials (e.g. like the 'account'
> dimension in ftp or your kerberos realm).
>
> -> a user can belong to N groups as returned by an
> all knowing auth system when asked.
>
> -> a check if the user was in a list of M groups can have
> yieled that he was a member of P groups which is a
> subset of M.
>
> Once you add group; there are other dimensions too; i.e. think of the
> login.conf resources on BSD, a much more mature framework like that on
> mainframes, and so on.
>
> So this is perhaps a bit more complex than just that.
>
> What is it you would feel as most useful in the web application world -
> could you elaborate ?
Indeed it is complex...
Basically, a web application in java land specifies some "security
constraints" in the "web.xml" file (its deployment descriptor). It relies on
two main concepts: user (doh!) and a thing called "role" which is more or
less the parallel of a group. Each user can have zero-or-more of these
"roles" (can be in zero or more groups with the current mod_auth).
Given the idea that I want my entire web site to be controlled by (let's
say) a single user/groups database, I need to pass to the servlet container
the list of "roles" to which every user is associated with, therefore its
list of groups, because at any time (even if the servlet is not under any
particular security constraint), someone might call the "isUserInRole" call,
and verify if a user is actually in a particular group...
I can do that passing the list of groups to the roles to the servlet
container, or calling back Apache and if mod_auth could provide a hook to
verify a particular user/role association, that would be even great...
Does this make sense?
Pier
--
[Perl] combines all the worst aspects of C and Lisp: a billion of different
sublanguages in one monolithic executable. It combines the power of C with
the readability of PostScript. [Jamie Zawinski - DNA Lounge - San Francisco]
