I'd like to implement a web service that implements authorization based on the underlying file system ACL.
Basically, when a request is made, if a file/directory is world readable, it should just be served with no authentication required. However, if a file is not world readable, authentication should be requested, and access should only be granted if the successfully authenticated user would receive such access based on the ACL. Obviously, if a file is not world readable, it would need to be accessible to the web server process in order to actually read the ACL or deliver the file. I implemented a similar system years ago under Apache 1.3 with the mod_auth_dce module, and am trying to replicate similar behavior under Apache 2 on top of Solaris ZFS. I would like to delegate the actual authentication to a separate module (in my case, LDAP authentication, but it could theoretically work with any authentication module that verifies a username/password). There are two approaches I'm currently considering. Both share the same first steps. Initially, hook into the authentication layer. For a given request, if the resource requested is world readable, do not request authentication and deliver as necessary. If the request is not world readable, and no authentication was provided, require authentication. If authentication was provided, skip the request and pass it on to the actual underlying authentication module (LDAP, etc) to verify the username/password is correct. For the authorization layer, I'm thinking I can either evaluate the ACL within my module, or dynamically convert the ACL into Apache require user/group configuration to be processed by an existing authorization module. I haven't worked on an Apache module since 1.3, and was hoping for a little feedback before I dug in. Does there already exist any module that performs similarly to this? Is it feasible within the Apache 2 framework to sometimes require authentication and sometimes not within a particular directory? Will one module be able to require authentication, but be able to delegate the actual performance of that authentication to another? And finally, Would it be possible for one module to dynamically generate require configuration for a request that is then interpreted by another module? Thanks much for any assistance... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | [EMAIL PROTECTED] California State Polytechnic University | Pomona CA 91768