At 04:27 PM 7/10/2002, [EMAIL PROTECTED] wrote: >On Wed, 10 Jul 2002, Pier Fumagalli wrote: > > > Dirk, since you're working on a patch for Auth, would it be possible to > have > > the groups list somewhere in the request structure? It would be great with > > web applications, where we can match groups with roles (therefore allowing > > authentication to be processed by apache entirely)... > >Well - r->user, or any r->credentials are valid there; as they come from >the protocol; i.e. are part of the request. > >The group information can, depending on protocol, come from more than one >source > > -> provided with the credentials (e.g. like the 'account' > dimension in ftp or your kerberos realm). > > -> a user can belong to N groups as returned by an > all knowing auth system when asked. > > -> a check if the user was in a list of M groups can have > yieled that he was a member of P groups which is a > subset of M. > >Once you add group; there are other dimensions too; i.e. think of the >login.conf resources on BSD, a much more mature framework like that on >mainframes, and so on.
Very cool. Are you also considering multiple 'user' identities? E.g., If I'm using client cert ssl auth [one identity], with basic encryption [a different identity], it would be nice to walk the 'identities' list. In that, you could have several types of 'identities' in a list, e.g. 'user', 'group', 'role', etc. The IP and DNS of the client themselves are also 'identities', although they are addresses. It would be nice to mix 'n match all of these into a single API. Bill
