Robert Collins wrote:
>
> So you want to force authentication if not present?
>
> Three possible ways
> 1) duplicate code from the proxy_auth ACL type. Remembering that
> _authentication_ vs authorisation is all modularised in authenticate.c
> 2) have the user add
> acl foo proxy_auth REQUIRED
> and then write their external acl access rules that use %LOGIN as (say)
> http_access deny !foo external external !external
> 3) dynamically insert the data for 2) when parsing, if you encounter %LOGIN
> in a external_acl rule.
>
> I favour 3 - it's a bit harder to do _right_, but the user may be less
> confused.
>
> Rob
Or 4, make challenge processing/generation/IP verification more cleanly
separated from the proxy_auth ACL match.
Note: I strongly dislike the idea of "dynamically" rewriting the
configuration. Also, doing so would not work proper in conjunction with
deny_info. The closest we can do in this direction is to have the
external ACL match make a "dummy" proxy_auth ACL that is not actually
part of the configuration, and have it call aclMatchAcl on this internal
acl. Personally, I would prefer a cleaner solution to the problem "User
must be fully authenticated before this can continue".
-- HenrikReceived on Thu Jul 19 2001 - 02:16:22 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:07 MST