On Thu, 27 Feb 2003, Jean-Michel Hiver wrote:
> > I think this may be solved by architecture. If you have an Authz layer
> > maybe it needs to be called sooner than right when you need it.
> >
> > I have a Session-based auth system. When the user successfully
> > authenticates the Auth handler does a lookup in a db where we store all
> > users' authz information. The db has an access level for each user for
> > each widget in the application. These are all loaded into a hashref and
> > stored in the serverside session. An encrypted cookie has the key to the
> > session.
>
> Yes, but you're then making the authorization layer inseparable from
> your applicative layer, and hence you loose the interest of using
> separate handlers.
True. For the type of application I deal with, where authorization levels
and security are paramount, this is not a bad thing. And really, in my
system, the UI modules only need to know the user's authz level (0-4) to
produce content ... they do not care how the authz level was generated.
- nick
--
~~~~~~~~~~~~~~~~~~~~
Nick Tonkin {|8^)>
