Hmm.. wouldn't it make more sense to have the sort of facility George is
talking about in the redirector code, rather than the auth? In other words,
send the proxy auth info to the redirector instead of sending the URL to the
auth program.
Redirectors are build for this (or should be) more than auth engines, IMHO;
they're (usually) regex-based, and it would be conceptually easy to extend a
user-group mechanism for access permissions to resources; indeed, most
already have IP-based rule groups.
Doing this through the auth program would lose any gain squid could make by
caching authentication tokens internally (don't know that it actually does
this).
I know this doens't address the original request... It seems there might be
some other ways to achieve the same effect (such as rearchitecting your
deployment of caches to internal/external servers, running auth on external
and keeping notification of unauthorised access within the squid code). I'll
stop rambling now.
> -----Original Message-----
> From: George Michaelson [mailto:ggm@dstc.edu.au]
> Sent: Thursday, November 19, 1998 10:08 AM
> To: Henrik Nordstrom
> Cc: David Richards; Squid Discussion List
> Subject: Re: External Auth
>
>
>
> Client IP makes sense, but URL doesn't.
>
> The purpose of the authenticator is to validate who the user
> is, not if he has access to a given URL or not.
>
> Um.. Are you saying "you don't perceive it as useful" or are
> you saying
> "it cannot work" because they are not the same thing at *all*
>
> It is (to me at least) tenable to suggest that if you have a tuple of
> {user,password,client-ip,URL}
>
> and you have decided you can live with the delay of an IPC to
> an external
> auth process, the added delay to do some hash on client-ip
> and URL to derive
> a complete "this person, *FROM THIS LOCATION* can get this
> data" outcome.
>
> cheers
>
> -George
> --
> George Michaelson | DSTC Pty Ltd
> Email: ggm@dstc.edu.au | University of Qld 4072
> Phone: +61 7 3365 4310 | Australia
> Fax: +61 7 3365 4311 | http://www.dstc.edu.au
>
>
Received on Wed Nov 18 1998 - 16:42:00 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:09 MST