[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Announcing mod_ssl_user

From: Sander Striker <striker_at_apache.org>
Date: 2003-06-18 23:54:16 CEST

> From: martin@v.loewis.de [mailto:martin@v.loewis.de]
> Sent: Wednesday, June 18, 2003 10:51 PM

> "Sander Striker" <striker@apache.org> writes:
> > I have yet to review, but you might consider offering it for inclusion
> > in httpd-2.x (if you can live with the ASF license).
> Your (or somebody elses) original suggestion was to write
> mod_auth_ssl,

mod_authn_ssl, yes.

> which would also do authentication


> (e.g. by means of require user <list of DN_CNs>

No. Satisfying Require lines would be authorization (authz).

> ). This turned out to be unimplementable, and partially useless,
> because
> a) SSLRequire is already available and much more powerful than
> any authorization based on solely req->user, and

See above. Wasn't suggesting this.

> b) setting req->user is not possible inside the check_user_id
> hook, as mod_ssl sets the environment variables only in the
> fixup hook (where mod_ssl_user installs).

That isn't the only problem ;). The authn/authz hooks are only
called when there is a Require line present. This is a problem
we recognize, but it'll take some time for us to sort it out.
> That said, I'd appreciate a review, and I'm certainly willing to
> produce a patch to incorporate the feature directly into mod_ssl. For
> that approach, I observe that
> c) mod_ssl_user might be still useful for users of older mod_ssl
> installations, and
> d) SSLUserName <single variable name>
> might be insufficient. Some authorized users may have a CN set,
> others might only have a USERID. So I have considering a syntax
> like
> SSLUserName VAR or VAR
> with the Python semantics for "or". User feedback will hopefully
> indicate whether this is really needed, or considered overkill.

Incorporating with mod_ssl seems to be the way to go for now.


To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jun 18 23:55:13 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.