On Wed, Jul 05, 2006 at 06:46:49AM -0400, Sam Varshavchik wrote: > Because I've yet to see a logical explanation why authlib needs to know > this. authlib's purpose is to verify account passwords. That's it. The > client's IP address is completely and totally irrelevant as far as the > answer to the following question: is the password valid?
Yes, but there are reasons for applying access control policy based on both IP address and user identity, and passing the IP down to the authentication layer would be a simple way of achieving this. Otherwise a separate authorisation layer would be needed. The sort of policies I've seen requested are: - particular users allowed only from particular IP addresses - logins from certain IPs can be plaintext, from other IPs must use SSL (e.g. logins webmail server or local LAN are OK plaintext) - some authentication backends make use of this information, in particular vchkpw can use it to do SMTP-after-POP (admittedly a legacy requirement) - to treat logins from a trusted proxy differently to logins from the rest of the Internet Examples of this request: http://sourceforge.net/mailarchive/message.php?msg_id=6518340 http://sourceforge.net/mailarchive/message.php?msg_id=13309553 http://sourceforge.net/mailarchive/message.php?msg_id=15117618 Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Courier-imap mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
