You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dirk-Willem van Gulik <di...@webweaving.org> on 2002/07/11 22:18:58 UTC
Wacking auth/access - right direction ?
Well, here it is, the late 1.3 going on 2.0. You know, so much of the
sites we see today are all file based basic auth, we never get a chance to
see strong auth practicing their craft anymore. By the year 2006, the
service known today as the web will exist only in the unsecured brochure
ware department of your ISP. So tonight ladies and gentlemen, while we
still can, let us welcome... modules/aaa/config.m4:
APACHE_MODPATH_INIT(aaa)
dnl Authentificantion modules; i.e. modules checking
dnl a username and password against a file, database
dnl or other similar magic.
dnl
APACHE_MODULE(auth_userfile, file based user based authentification
control, , , yes)
APACHE_MODULE(auth_dbm, DBM-based user auth databases, , , most)
APACHE_MODULE(auth_anon, anonymous user access, , , most)
dnl - and just in case all of the above punt; a default handler to
dnl keep the bad guys out.
APACHE_MODULE(auth_default, authentification backstopper, , , yes)
dnl Access control modules. I.e. modules which verify
dnl a certain property; i.e. membership of a group,
dnl value of the IP address against a list of pre
dnl configured directives (e.g. require, allow) or
dnl against an external file or database.
dnl
APACHE_MODULE(access, host-based access control, , , yes)
APACHE_MODULE(access_groupfile, 'require group' based access control based
on file, , , yes)
APACHE_MODULE(access_user, 'require user' based access control, , , yes)
APACHE_MODULE(access_dbm, DBM-based group access databases, , , most)
dnl - and just in case all of the above punt; a default handler to
dnl keep the bad guys out.
APACHE_MODULE(access_default, access control backstopper, , , yes)
(formatted and auth_digest left out for clarity).
Anyway - config.m4; above explains it all. So we now have
mod_auth_something
doing username/password validation
mod_access_something
doing allow from IP,
require this, require that,
And two 'special' modules (which also could be moved with the protocol
specific run_all handler for the two auth hooks)
mod_[auth/access]_default.c
whichs ackts a null backstopper in case nothing is configured.
The cost of all this is:
-> Memory footprint; on MacOSX about 1.2k shared and 200 bytes
per thread/process with the default set.
-> Require expense; more ground to cover when the admin does not
do careful configuration.
-> Havock for a few weeks in modules/aaa.
-> User re-education.
The benefit
-> Much easier to strip modules down.
-> Expert admin can make things more efficient wihtout
recoding, recompiling. So they win.
-> Auth modules become smaller; we gain about 2k shared when
you have all of them plugged in.
-> Easier to document and easier to understand how auth
methods work togeterh.
-> We could put in a much more paranoid default module
to make the server more robust against config errors
and be less inclined to serve by accident.
Andy mainly
-> Code for most auth modules out there; i.e. the legacy 1.3
becomes less than half when redone. (And about 1/3 of the
file size; due to the license).
A lightly tested strawman of the files is at
http://www.apache.org/~dirkx/foo/
So.. my question... is this the right direction ?
Dw