RE: Authentication by acl

From: <[email protected]>
Date: Fri, 13 Nov 1998 08:33:36 +0100

Hi,
I just work on a patch that allows to acl the user name
of the basic authentication header. For 2.0p2 the patch
seems to work, version 2.1pre3 has not been properly
checked yet. The check uses regular expressions and is
not too complicated, at the first glance.

I evaluate this acl type in order to solve the following
problem: Is it possible to direct the user access of
different user groups to the particular internet
connections they have paid for when there are
overlapping groups of users (due to the fact that
there is also the backbone ...) ?

So, using this new type of acl I can select the proxy
parent in the "cache_peer_access" directive on a user
authorization base. The only problem arises when there
is no header, supplied. In that case, the acl item must
always evaluate TRUE, even if negated. Otherwise there
would be no way to force the client to autenticate herself
by specifying the "proxy_auth" acl, in the boby of the
squid configuration.

On the other hand, if used in an "http_acess" directive,
the same unspecified case must always evaluate FALSE in
order to work as expected.

The solution came out quite simple. If somebody is
interested, I will publish this patch when I have
checked the 2.1pre3 case. Is in sensible to have this
patch as a feature in the SQUID distribution? It should
also work with the "delay_pool" stuff.

jordan

> ----------
> From: Henrik Nordstrom[SMTP:hno@hem.passagen.se]
> Sent: Donnerstag, 12. November 1998 22:46
> To: Chris Hughes
> Cc:
>
> Subject: Re: Authentication by acl
>
> By design a authentication program can only validate if the password is
> correct or not. Not if the user has access to the requested resource.
>
> 2.1 has a more flexible proxy_auth ACL type which may help you.
>
> acl aclname proxy_auth username ...
> # list of valid usernames
> # use REQUIRED to accept any valid username.
> #
> # NOTE: when a Proxy-Authentication header is sent but it is
> not
> # needed during ACL checking the username is NOT logged
> # in access.log.
> #
> # NOTE: proxy_auth requires a EXTERNAL authentication program
> # to check username/password combinations (see
> # authenticate_program).
> #
>
>
> Chris Hughes wrote:
> >
> > Is it possible to do different user authentications based on the url a
> > user is trying to get? Basically I would like to be able to pass the
> > authentication program the acl the user is trying to get to.
>
Received on Fri Nov 13 1998 - 00:41:39 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:02 MST