[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > On Wed, 10 Jul 2002, Pier Fumagalli wrote: > >> Dirk, since you're working on a patch for Auth, would it be possible to have >> the groups list somewhere in the request structure? It would be great with >> web applications, where we can match groups with roles (therefore allowing >> authentication to be processed by apache entirely)... > > Well - r->user, or any r->credentials are valid there; as they come from > the protocol; i.e. are part of the request. > > The group information can, depending on protocol, come from more than one > source > > -> provided with the credentials (e.g. like the 'account' > dimension in ftp or your kerberos realm). > > -> a user can belong to N groups as returned by an > all knowing auth system when asked. > > -> a check if the user was in a list of M groups can have > yieled that he was a member of P groups which is a > subset of M. > > Once you add group; there are other dimensions too; i.e. think of the > login.conf resources on BSD, a much more mature framework like that on > mainframes, and so on. > > So this is perhaps a bit more complex than just that. > > What is it you would feel as most useful in the web application world - > could you elaborate ?
Indeed it is complex... Basically, a web application in java land specifies some "security constraints" in the "web.xml" file (its deployment descriptor). It relies on two main concepts: user (doh!) and a thing called "role" which is more or less the parallel of a group. Each user can have zero-or-more of these "roles" (can be in zero or more groups with the current mod_auth). Given the idea that I want my entire web site to be controlled by (let's say) a single user/groups database, I need to pass to the servlet container the list of "roles" to which every user is associated with, therefore its list of groups, because at any time (even if the servlet is not under any particular security constraint), someone might call the "isUserInRole" call, and verify if a user is actually in a particular group... I can do that passing the list of groups to the roles to the servlet container, or calling back Apache and if mod_auth could provide a hook to verify a particular user/role association, that would be even great... Does this make sense? Pier -- [Perl] combines all the worst aspects of C and Lisp: a billion of different sublanguages in one monolithic executable. It combines the power of C with the readability of PostScript. [Jamie Zawinski - DNA Lounge - San Francisco]