Michael Lackhoff wrote: > On 31 Mar 2006 at 12:18, Jesse Erlbaum wrote: > >> One other note, on which I have been harping for years: If you are >> about to tell me that you can't have a separate instance script for each >> application because your login system would have to be duplicated in >> each application, then you're doing things wrong. Authentication and >> authorization belongs in Apache -- not in your CGI-App module. > > No, this is not the reason, why I want to split my application but > still, I am not convinced that authorization belongs in Apache. Say I > have an application with a company and branches. Now I want that a user > is only allowed to run the runmodes with data of the brach the user > belongs to. > This info is within the application and Apache doesn't know anything > about it -- at least if I don't want to duplicate my branch layout in a > htgroups file or similar. > Or if this case is still simple enough that with some tricks Apache can > use the info in the database, what about special cases where a user is > granted rights just for part of the info, say anything, except sallary? > The 'knowledge' about the different roles of users is inherently within > the application and I cannot see how Apache can do really flexible > access restriction without being part of the application.
Even the most complicated auth setup can be done in Apache using mod_perl Authz and Authen handlers. Even though it's running at the apache level, it's still a part of your application since it's connecting to your database and has your business logic. It's just done before your application has a chance to run. -- Michael Peters Developer Plus Three, LP --------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/cgiapp@lists.erlbaum.net/ http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
