--On November 9, 2005 7:25:13 PM -0800 "Roy T. Fielding" <[EMAIL PROTECTED]>
wrote:
o I thought I understood the auth/authn/authnz/authz split,
but looking at the files makes me confused again. The docs
seem to be the config.m4 file. Only a third of the auth
source files have any meaningful comments.
Here's how the split should be aligned:
mod_auth_* -> Modules that implement an HTTP authentication mechanism
mod_authn_* -> Modules that provide a backend authentication provider
mod_authz_* -> Modules that implement authorization (or access)
mod_authnz_*-> Module that implements both authentication & authorization
Authentication == Is this user who they say they are?
Authorization == Is this client allowed to perform the req'd method?
As mentioned earlier today, I view access as being equivalent to authorization.
I know both Paul and my 'What's new in 2.2' talks have explained this at least
in passing.
Adding comments or better docs is always a good thing. One thing is that
these modules are *much* simpler than their 2.0 counterparts, so the need for
extensive documentation isn't as pressing - provided you understand how they
all fit together. =) -- justin
