C
Charles Packer
For the "existing suite of CGI scripts"
mentioned in the earlier thread "Streamlining
login..." it turns out that our Leader
opposes Apache authentication and
authorization. The main objections are,
first, that it takes sysadmin-level
knowledge to add a new user or set up a new
level of privilege, and second, that
authorization is tied to the directory
structure of the affected scripts.
Therefore I'm thinking of a custom-made
approach that would start with a browser form
to be used by an operator to add new
users and indicate which processes they may
run. Then it looks like the CGI::Auth module
or, even better, CGI::Auth::Auto is what to
use for authentication, assuming that I'm
able to maintain its files with the
above-mentioned browser tool. As I
understand it, at the start of every
sensitive script I would call check(),
which would handle the authentication,
including possible session timeout. It
will present a login page of my own design,
right? Then I would be on my own for the
authorization step, i.e. determining whether
this user is allowed to execute this script.
Presumably this would involve checking a
list that would be maintained by the operator
through the same browser tool that that's
used to add users. Anybody see any problems
with this? No news will be good news...
mentioned in the earlier thread "Streamlining
login..." it turns out that our Leader
opposes Apache authentication and
authorization. The main objections are,
first, that it takes sysadmin-level
knowledge to add a new user or set up a new
level of privilege, and second, that
authorization is tied to the directory
structure of the affected scripts.
Therefore I'm thinking of a custom-made
approach that would start with a browser form
to be used by an operator to add new
users and indicate which processes they may
run. Then it looks like the CGI::Auth module
or, even better, CGI::Auth::Auto is what to
use for authentication, assuming that I'm
able to maintain its files with the
above-mentioned browser tool. As I
understand it, at the start of every
sensitive script I would call check(),
which would handle the authentication,
including possible session timeout. It
will present a login page of my own design,
right? Then I would be on my own for the
authorization step, i.e. determining whether
this user is allowed to execute this script.
Presumably this would involve checking a
list that would be maintained by the operator
through the same browser tool that that's
used to add users. Anybody see any problems
with this? No news will be good news...