> From: martin@v.loewis.de [mailto:martin@v.loewis.de]
> Sent: Wednesday, June 18, 2003 10:51 PM
> "Sander Striker" <striker@apache.org> writes:
>
> > I have yet to review, but you might consider offering it for inclusion
> > in httpd-2.x (if you can live with the ASF license).
>
> Your (or somebody elses) original suggestion was to write
> mod_auth_ssl,
mod_authn_ssl, yes.
> which would also do authentication
Yes.
> (e.g. by means of require user <list of DN_CNs>
No. Satisfying Require lines would be authorization (authz).
> ). This turned out to be unimplementable, and partially useless,
> because
> a) SSLRequire is already available and much more powerful than
> any authorization based on solely req->user, and
See above. Wasn't suggesting this.
> b) setting req->user is not possible inside the check_user_id
> hook, as mod_ssl sets the environment variables only in the
> fixup hook (where mod_ssl_user installs).
That isn't the only problem ;). The authn/authz hooks are only
called when there is a Require line present. This is a problem
we recognize, but it'll take some time for us to sort it out.
> That said, I'd appreciate a review, and I'm certainly willing to
> produce a patch to incorporate the feature directly into mod_ssl. For
> that approach, I observe that
> c) mod_ssl_user might be still useful for users of older mod_ssl
> installations, and
> d) SSLUserName <single variable name>
> might be insufficient. Some authorized users may have a CN set,
> others might only have a USERID. So I have considering a syntax
> like
> SSLUserName VAR or VAR
> with the Python semantics for "or". User feedback will hopefully
> indicate whether this is really needed, or considered overkill.
Incorporating with mod_ssl seems to be the way to go for now.
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jun 18 23:55:13 2003