> I think this may be solved by architecture. If you have an Authz layer > maybe it needs to be called sooner than right when you need it. > > I have a Session-based auth system. When the user successfully > authenticates the Auth handler does a lookup in a db where we store all > users' authz information. The db has an access level for each user for > each widget in the application. These are all loaded into a hashref and > stored in the serverside session. An encrypted cookie has the key to the > session.
Yes, but you're then making the authorization layer inseparable from your applicative layer, and hence you loose the interest of using separate handlers. I think it would be much nicer to write webapps on which you can plug any authorization / authentication handler chain and maintain those things as separate as possible. Then if your application uses the REST paradigm, all access control can be done using URIs, which is very neat. Cheers, -- Building a better web - http://www.mkdoc.com/ --------------------------------------------- Jean-Michel Hiver [EMAIL PROTECTED] - +44 (0)114 255 8097 Homepage: http://www.webmatrix.net/
