Hi everyone,
Just thinking aloud here, so would appreciate some feedback or information particularly on something I've missed. I've been looking at mod_authz_dbd and such and have noticed that the Requires directive allows you to specify a userid or group-name that an Authz provider must match. It appears that this userid or group-name must be specified before hand. Does anyone know of a pre existing module that allows you to specify these Require details (preferably) from a SQL database, based on requested URI? For example, instead of: <Directory /usr/www/my.site/team-private/> AuthType Basic AuthName Team AuthBasicProvider dbd AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s AND login = 'true'" AuthzDBDQuery "SELECT group FROM authz WHERE user = %s" Requires dbd-group team </Directory> Which restricts files in specified directory to users who are members of the group "team", you could do something like this: <Directory /usr/www/my.site/team-private/> AuthType Basic AuthName Team AuthBasicProvider dbd AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s AND login = 'true'" AuthzDBDQuery "SELECT group FROM authz WHERE user = %s" MetaDBDQuery "SELECT owner, group FROM resources WHERE uri = %s" Requires meta-dbd-group </Directory> I've had a google about and I've not found anything, apart from mod_authz_owner that does anything close to this; that is, allows you to specify the userid or group-name based on something outside the httpd.conf/htaccess file (mod_authz_owner checks the file-owner and file-group details of the requested file). An ideal implementation would work in a similar manner to the auth framework: you would have a resource-metadata framework, which consisted of providers that allowed you to specify where apache would look-up the meta-data for the requested resource in order to complete the authorization phase of the request. Doing so allows us to specify who is authorized to access a given resource (or collection/directory tree of resources) from an external system (sql-db, dbm or even a separate .meta/RDF file). In fact, if these details were in fact a separate file, you could modify them using simple REST principles. This is an idea I've had banging around in my head for a while now, and I'm curious if anyone has come across something similar that has already been implemented, or if there are plans to add a similar feature in a future version of apache. I would also appreciate it if anyone could give me some feedback on this idea, especially if I have missed some obvious reason why this would not be a very good idea. Cheers! Ben Davies
