Menu
▾
▴
Re: [naviserver-devel] Functionality similar to nginx' auth_request
|
From: Gustaf N. (sslmail) <ne...@wu...> - 2025-05-23 16:23:47
|
Dear all, >> On the C-level, NaviServer provides in the possibility to register an authProc via Ns_SetRequestAuthorizeProc(), which has to return NS_OK, NS_UNAUTHORIZED, NS_FORBIDDEN, or NS_ERROR. Currently, only nsperm uses this, and the infrastructure allows only a single proc to be registered there. I could imagine making this more flexible by >> - allowing a chain of responsibility (multiple authProcs), >> - allowing to add a Tcl handler for this. > > Yes: that sounds great! Well, we have it now in the repository for the 5.0 release. Instead of a single, C-Level proc, we have now pluggable request- and user-level authorization callbacks with multiple authorities and continuation codes. In other words, we have the ability to have a chain of authorization procs (e.g. for different authorities), and these procs can be scripted. One could now implement nsperm fully in Tcl, and it will run after pre-auth and before post-auth filters. Here is the updated picture from the documentation visualizing the authorization chain.  The authorization chain is similar to the filter chains: one can control, whether - the handler feels responsible for the input and the next element in the chain should be called, or - it claims full responsibility and the rest of the chain should be skipped, or - one should stop request processing and not call the request proc at all (“return -code return …”, or “filter_return” in filters). The details are slight more difficult: - Sometimes, one needs just user authorization (no http method or path), as e.g. for authorization in nscp. - Sometimes we want to distinguish between “no such user” and “password incorrect”. - Sometimes we want to distinguish between wrong user/password (let user retry) and “forbidden” (no retry makes sense). - …. We have now the possibility to register C and Tcl-level user authorization procs and request authorization procs. The new commands for registration: ns_register_auth ?-authority <label>? ?-first? request script ?arg…? ns_register_auth ?-authority <label>? ?-first? user script ?arg…? For script-level testing: ns_auth request ?-dict? method url user passwd ?peer? ns_auth user ?-dict? user passwd As mentioned before, authorization also be achieved by abusing in preauth filter, … and e.g. OpenACS does this in some complex ways. However, having a clear authorization phase looks architecturally much better to me. The updated documentation is [1]. I hope, this was the last larger change before the release, the next European OpenACS and Tcl/Tk Conference [2] is coming closer. Please consider joining. All the best -g [1] https://naviserver.sourceforge.io/5.0/naviserver/files/commandlist.html [2] https://openacs.km.at/evaluate/org/129998253/conferencenews/ |
