From: Luke <sl...@li...> - 2006-09-10 01:37:22
|
On Sat, 9 Sep 2006, Christopher Murtagh wrote: > On 9/9/06, Gavin Carr <ga...@op...> wrote: > > Note that this isn't quite what I'm asking for Chris. "Pluggable" > > authentication implies specific support by the appliation of auth > > scheme X. I'm after "external" authentication, meaning you do the auth > > at the apache level using any authentication module apache supports, > > and SL just accepts the authenticated user as given to it by apache. > > There's a place for both, but I'm specifically interested in the > > second. > > The two things that you describe are one and the same. Pluggable > authentication means that you create APIs for different authentication > mechanisms, so that these mechanisms handle the authentication, and > the application trusts it throught the API. 'auth scheme X' in this > case is 'Basic HTTP authentication' which will definitely be one of > the authentication schemes that we can support. I have to agree with Gavin here: the two are not really identical. ProFTPD, in order to authenticate against MySQL, if I recall correctly, uses a module of sorts. The user enters his information to the normal ProFTPD login system, at which point ProFTPD uses the pluggable module to authenticate, and receives back an answer and possibly other information. That seems analogous to the Pluggable or API based system you are describing. >From the prospective of a secured PHP application running under a .htaccess protected directory, however: Apache prompts for, and receives, authentication information. It then does what it needs to to verify that information. If it is valid for a user, it passes the user name on to the PHP application. The application did not have to be modified to permit new authentication schemes (internal or pluggable), it just receives a username if the user was valid, and never even runs if the user was not. The latter is external--the application is only involved when the authentication process is complete. The former is a plugin: the application uses something else to do the authenticating, but is still involved from the start, thereby limiting the available methods for authentication, or at least making each new method dependent on something being written for the application, so that it might handle them. I would favor the external, rather than the remote/internal/plugin method. Regards, Luke |