You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Allan Edwards <ak...@raleigh.ibm.com> on 2000/06/16 02:03:31 UTC
conn_rec->notes
It would be nice to be able to pass information
from one module to another - like the notes
capability of request_rec except using conn_rec.
example: passing client certificate information
to an ldap module
Anyone object to adding ap_table_t *notes to
conn_rec?
Allan
Re: conn_rec->notes
Posted by Manoj Kasichainula <ma...@io.com>.
On Fri, Jun 16, 2000 at 12:41:01AM -0700, Greg Stein wrote:
> On Fri, Jun 16, 2000 at 02:20:26AM -0400, Manoj Kasichainula wrote:
> > Client certs are attributes of a connection, not a request?
>
> Not sure in what sense Manoj is asking here, but AFAIK all authentication
> information is associated with a *request* rather than the connection.
I was expressing mild surprise that a cert would hang off of a
connection instead of a request, i.e. I was agreeing with you. :)
Re: conn_rec->notes
Posted by Allan Edwards <ak...@raleigh.ibm.com>.
Greg Stein wrote:
>
> On Fri, Jun 16, 2000 at 02:20:26AM -0400, Manoj Kasichainula wrote:
> > On Thu, Jun 15, 2000 at 08:03:31PM -0400, Allan Edwards wrote:
> > > It would be nice to be able to pass information
> > > from one module to another - like the notes
> > > capability of request_rec except using conn_rec.
> > >
> > > example: passing client certificate information
> > > to an ldap module
> >
> > Client certs are attributes of a connection, not a request?
Yes, the client cert information is sent during the initial connection
handshake, you don't get new cert info for subsequent HTTP requests
on that connection.
>
> Not sure in what sense Manoj is asking here, but AFAIK all authentication
> information is associated with a *request* rather than the connection.
>
In this case the authentication information is associated with the
*connection* but is used in the authentication phase of each request
on that connection.
At any rate, the initial handshake takes place before request processing
starts, and there is no request_rec on which to hang the cert info at
that
time anyway. So I believe conn_rec is the logical place to store this
information.
Allan
Re: conn_rec->notes
Posted by Greg Stein <gs...@lyra.org>.
On Fri, Jun 16, 2000 at 02:20:26AM -0400, Manoj Kasichainula wrote:
> On Thu, Jun 15, 2000 at 08:03:31PM -0400, Allan Edwards wrote:
> > It would be nice to be able to pass information
> > from one module to another - like the notes
> > capability of request_rec except using conn_rec.
> >
> > example: passing client certificate information
> > to an ldap module
>
> Client certs are attributes of a connection, not a request?
Not sure in what sense Manoj is asking here, but AFAIK all authentication
information is associated with a *request* rather than the connection.
In other words, that cert should hang off the request, not the connection.
Cheers,
-g
--
Greg Stein, http://www.lyra.org/
Re: conn_rec->notes
Posted by Manoj Kasichainula <ma...@io.com>.
On Thu, Jun 15, 2000 at 08:03:31PM -0400, Allan Edwards wrote:
> It would be nice to be able to pass information
> from one module to another - like the notes
> capability of request_rec except using conn_rec.
>
> example: passing client certificate information
> to an ldap module
Client certs are attributes of a connection, not a request?
> Anyone object to adding ap_table_t *notes to
> conn_rec?
Iff it's needed, then until there's a better mechanism, it sounds good
to me.
Re: conn_rec->notes
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Allan Edwards wrote:
>
> I'm not sure exactly how a proxy would handle this example but I would
> guess that client certificates are not intercepted at by proxies but
> are transparently passed on to the origin server, so I don't think
> this particular application of conn_rec->notes could be misused by
> a proxy.
I *think* Marc might be meaning that another request from a
completely different user might get piggy-backed into an
already-established connexion.. but I don't see how that
has any impact on this proposed field. I'm probably not
making any sense here. +1 to the idea, though.
--
#ken P-)}
Ken Coar <http://Golux.Com/coar/>
Apache Software Foundation <http://www.apache.org/>
"Apache Server for Dummies" <http://Apache-Server.Com/>
"Apache Server Unleashed" <http://ApacheUnleashed.Com/>
Re: conn_rec->notes
Posted by Allan Edwards <ak...@raleigh.ibm.com>.
Marc Slemko wrote:
>
> On Thu, 15 Jun 2000, Allan Edwards wrote:
>
> > It would be nice to be able to pass information
> > from one module to another - like the notes
> > capability of request_rec except using conn_rec.
> >
> > example: passing client certificate information
> > to an ldap module
> >
> > Anyone object to adding ap_table_t *notes to
> > conn_rec?
>
> I question how wise it is, because that is something that is very easy to
> misuse. In general, the connection can be used by completely different
> users if it is from a proxy.
I'm not sure exactly how a proxy would handle this example but I would
guess that client certificates are not intercepted at by proxies but
are transparently passed on to the origin server, so I don't think
this particular application of conn_rec->notes could be misused by
a proxy. If you have other scenarios in mind where the proxy code
might misuse this field maybe we can add a comment warning of such.
> It is only in special situations, such as
> when you have a layer there that makes it more than just a normal TCP
> connection over which HTTP requests flow, where that is legitimately used.
I think this is such a case though, and while there might be other
coding solutions, I think they too would be open to the same misuse,
Alternate solutions would also make it harder to read the code and
understand what was going on, so I don't see why we should penalize
any legitimate usage.
Allan
Re: conn_rec->notes
Posted by Marc Slemko <ma...@znep.com>.
On Thu, 15 Jun 2000, Allan Edwards wrote:
> It would be nice to be able to pass information
> from one module to another - like the notes
> capability of request_rec except using conn_rec.
>
> example: passing client certificate information
> to an ldap module
>
> Anyone object to adding ap_table_t *notes to
> conn_rec?
I question how wise it is, because that is something that is very easy to
misuse. In general, the connection can be used by completely different
users if it is from a proxy. It is only in special situations, such as
when you have a layer there that makes it more than just a normal TCP
connection over which HTTP requests flow, where that is legitimately used.