ACL proposal

From: <>
Date: Fri, 19 Jul 1996 09:17:40 -0400

For various reasons (some security, some political), we have a need for ACLs
that can do the following:

Match based on User-Agent header
Deny a group, redirecting them to a URL that explains why they were denied
Allow a group, but require HTML parsing to filter out java a/o javascript
a/o ActiveX

None of these are difficult to write, but the current code structure for
ACLs only passes a minimal amount of pre-parsed information to the ACL
code. I could implement the changes in a number of ways:

1) Add additional pre-parsed info

Good if more than one ACL needs the same piece of info, as it avoids per-ACL
parsing overhead. Unfortuatey, it increases the function call overhead, and
eventually leads to calling the ACL functions with 50 arguments.

2) Pass the MIME header pointer

allows more flexibility, but at the expense of parsing time for every ACL

3) Add additional pre-parsed info in a structure, which is passed by
reference rather than by value

Same pre-parsing advantages of (1), but avoids the ever-expanding arg-list
syndrom. Also allows easy code modification as the function prototypes don't
need to be hacked for every ACL code addition.

(3)'s the best I've come up with so far for generalizing the ACL calling
convention. Any other ideas?

Now for the HTML parsing (yeah, I know, slow and icky, but it's even worse
if I do it somewhere else).

My current idea is to add a filter callback list (array of function
pointers), that the either the network read or client write routines will
call (I haven't decided where I'd rather have it, but I suspect that it
needs to be in the client write routines so that we cache the original,
unmodified page). The read/write handler would walk through the function
pointer array, calling each routine in turn on the buffer it was about to
pass on. There might also be a state pointer for each function, so it can
rememebr where it is as it has to do everything in one pass.

Any other ideas or suggestions?

Carson Gaspar --
<This is the boring business .sig - no outre sayings here>
Received on Fri Jul 19 1996 - 06:23:28 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:32:41 MST