I saw Raewyn's message about ACLs and thought I'd better mention something
about what we've just done. We'd been meaning to pay the Harvest people to add
this to Harvest for us - we'd just started organising it a couple of weeks
ago when we found squid. Now it looks like we'll be dropping Harvest in favour
of squid.
Anyway, what we wanted was real time access authentication, so we've added a
new module auth.c, containing the function authCheck which is passed the host
requesting the URL and the URL request information - it returns an error
message (if an error occurs) which is displayed to the user surrounded by
authentication failed http similar to that for access denied.
authCheck() is called just after the ACL is checked, so only clients that pass
the ACL get checked. This has all been done in general in case anyone else is
interested in this sort of thing.
If anyone is interested, we could supply the changes with a stubbed auth.c -
anyone who wants to use this type of authentication fills in the code they need
in auth.c.
In our case auth.c does a cached lookup on the client IP address to get the
client host name, then does an RPC call to check the client host, time and URL
host against tables in our database. Because our database knows who is logged
in on each client, we now have the ability to allow or deny access to a URL
based on client host, client logged in to client host, time and URL host,
simply by changing tables in our central database.
We were going to charge users in a similar way at the end of each access, but
with the volume of charges we've decided to process logs for that instead.
I'd like to hear what anyone else has to say about what we've done. Is anyone
else interested?
Brent Foster
Systems Programmer, Computing Services
Massey University, Palmerston North, New Zealand
Received on Wed Jul 31 1996 - 23:04:16 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:32:45 MST