On Tue, Aug 27, 2002 at 10:12:43AM -0400, [EMAIL PROTECTED] wrote: > than the current AAA modules. In a 'require group' world, it is very nice > to abstract this stuff out so backends can be re-used, and apache specific > logic can be centralized - as you have proposed. But it will be harder > to plug in backends that try to do more with requirements (of which there > really aren't many)- which is probably fine.
Without seeing use cases, it's hard to know what people want. For now, I can only go off of what we have now. (I'm hoping that people who write third-party auth engines speak up now and point out how this API could make it better for them if it only did XYZ.) > 1) It looks like the 'AuthProvider' does not allow you to stack auth handlers. > I would be cool (if not critical :) if it was more of an AddAuthProvider > - then the basic auth handler loops through all providers that are added. > This way you could configure ldap and anon for a given location. > > 2) If you do allow stacking of providers like this, you need to also provide > the ability to specify which one is authoritative (if any). Yeah, you hit the problem with stacking - authoritative. I'm not sure how useful having multiple backends could be. I'd almost suggest that something like a PAM backend would be much better and allows a fairly standard configuration. (I know Dirk has a PAM module somewhere.) That removes the stacking component entirely if we supported PAM. But, yeah, I think we could implement multiple providers ourselves if we wanted to. > 3) maybe i'm missing something, but why did you rewrite ap_note_basic_auth_failure > and ap_get_basic_auth? assuming there was a reason, maybe a comment in > the code would help clarify it. I want to toss ap_note_basic_auth_failure and ap_get_basic_auth. That code doesn't belong in the server/protocol.c. Ideally, any modules that were using these functions could just implement a backend module. But, I don't think we want to have those exported going forward - the only reason they are exported is because our API sucked. -- justin
