On Thu, 27 Feb 2003, Jean-Michel Hiver wrote: > > I think this may be solved by architecture. If you have an Authz layer > > maybe it needs to be called sooner than right when you need it. > > > > I have a Session-based auth system. When the user successfully > > authenticates the Auth handler does a lookup in a db where we store all > > users' authz information. The db has an access level for each user for > > each widget in the application. These are all loaded into a hashref and > > stored in the serverside session. An encrypted cookie has the key to the > > session. > > Yes, but you're then making the authorization layer inseparable from > your applicative layer, and hence you loose the interest of using > separate handlers.
True. For the type of application I deal with, where authorization levels and security are paramount, this is not a bad thing. And really, in my system, the UI modules only need to know the user's authz level (0-4) to produce content ... they do not care how the authz level was generated. - nick -- ~~~~~~~~~~~~~~~~~~~~ Nick Tonkin {|8^)>