Re: external ACL

From: Henrik Nordstrom <>
Date: Thu, 19 Jul 2001 10:09:13 +0200

Robert Collins wrote:
> So you want to force authentication if not present?
> Three possible ways
> 1) duplicate code from the proxy_auth ACL type. Remembering that
> _authentication_ vs authorisation is all modularised in authenticate.c
> 2) have the user add
> acl foo proxy_auth REQUIRED
> and then write their external acl access rules that use %LOGIN as (say)
> http_access deny !foo external external !external
> 3) dynamically insert the data for 2) when parsing, if you encounter %LOGIN
> in a external_acl rule.
> I favour 3 - it's a bit harder to do _right_, but the user may be less
> confused.
> Rob

Or 4, make challenge processing/generation/IP verification more cleanly
separated from the proxy_auth ACL match.

Note: I strongly dislike the idea of "dynamically" rewriting the
configuration. Also, doing so would not work proper in conjunction with
deny_info. The closest we can do in this direction is to have the
external ACL match make a "dummy" proxy_auth ACL that is not actually
part of the configuration, and have it call aclMatchAcl on this internal
acl. Personally, I would prefer a cleaner solution to the problem "User
must be fully authenticated before this can continue".

Received on Thu Jul 19 2001 - 02:16:22 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:07 MST