Russ Allbery wrote: >> Also, does this incur performance problems? > > It's certainly slower, and it means that you can't use mod_perl, mod_php, > etc. and have to run an external interpretor. That's definitely not > ideal, and it would be nice to have a better solution to that. But > maintaining a separate token for a particular Apache thread is very hard. > > People doing things that require higher performance have to convince us > that they know what they're doing and won't cause security vulnerabilities > and can be trusted with the more general server credentials. (Which are > still not particularly strong, to mention.)
You really can't keep a separate per-thread token with AFS unless you are willing to use a user-mode cache manager linked to Apache. If you do, you can access AFS as the user for web operations but anything external such as CGI/PHP, Tomcat, or ColdFusion still loses. With Apache 2.0/2.1, it is possible to construct an implementation using the pre-fork model that allows you to associated a single token with each request that will also be used for CGI/PHP but not for Tomcat or ColdFusion. In this model, you can set per-directory rules that indicate whether the external application should run with a web-server token, the user token, or no token at all and manipulate the contents of a per-process PAG. I am working with a member of the Apache development team to develop an Apache 2.0/2.1 module which will provide such functionality. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
