Chemolli Francesco (USI) wrote:
> IMO IP verification is more of an authorization than authentication issue.
> The "problem" here is that we want to be lazy in performing authentication,
> and do that only when it is needed for authentication.
I think you meant "... needed for authorization."
True, and this is a very nice feature I'd like to keep as it allows for
very flexible configurations structured in a quite logical manner.
Eventually I'd even like to see the fully relaxed approach where
authentication is only required if the request was denied and any
authentication based checks had been involved. This to give even greater
configuration flexibility. However, there are some security implications
with existing configurations if making this change..
-- HenrikReceived on Thu Jul 19 2001 - 15:42:55 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:07 MST