>>> On 12/6/2005 at 12:04:47 am, in message <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote: > On Mon, Dec 05, 2005 at 02:17:09PM -0700, Brad Nicholes wrote: >> Ignoring SATISFY <whatever> for now, we still want each provider to be >> called in the listed order and whether authorization is GRANTED or >> DENIED may not be known until each one has been called. Until then the >> status is simply DECLINED. We can assume that DENIED and DECLINED mean >> the same thing as long as we get rid of the AuthzXXXAuthoritative >> directives. If not then each authz module has to be able to communicate >> the difference between DECLINED and DENIED" > > I do think we need to get rid of Authoritative, yes. >
Good, then I am +1 on the authz providers only returning AUTHZ_GRANTED or AUTHZ_DENIED. I don't see a need for anything else. > I'd prefer slapping 'core' on their names than leaving an undecorated > 'mod_authn' here. Another alternative would be to just have them both in > 'mod_auth_core'. > > Even if it were split out, mod_authn_core really wouldn't perform too much > heavy lifting as the basic/digest mechanisms do the heavy lifting w.r.t. > authn providers. But, for authz, because no one really 'owns' require or > satisfy, a mod_authz/mod_authz_core would do most of the provider > invocations - unless we can come up with a better module ownership of the > 'core' authz directives. -- justin I'm good with mod_authn_core and mod_authz_core. Since I already added mod_authn.c and mod_authz.c to SVN I'm not sure how to rename them. Could you rename the files in SVN and I'll take care of the rest. Brad
