Re: RFC: Authentication/Authorization System

You might get some ideas by taking a look at the Catalyst::Plugin::Authentication and Catalyst::Plugin::Authorization modules. In each category there is a basic module which provides the public interface and then a host of lower level modules which provide the actual code and interface with the various back-end stores and such. It's an elegant and flexible system, provided you get the API right (and you seem to have already given it some good thoughts).

For the role-based authorization, the access control list approach has real merit. It ties together some resource (actually a Catalyst action with a role) and provide for automatic "You are not allowed to access this page" replies.

So the first part of your project is already written (well at least within Catalyst's little world). Now if you could tie in your user-management to the Catalyst plugins and have it discover and service the actual back-end stores used, that would surely make it a winning module.

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

Comment on Re: RFC: Authentication/Authorization System

Replies are listed 'Best First'.
Re^2: RFC: Authentication/Authorization System by eric256 (Parson) on Jul 19, 2006 at 22:20 UTC
The more I look at this the more it seems like we need a DBI-esq (as in a general API with several backends) for querying AND maintaining user/role/group data. Authen::Simple is half way there with the query interface but it doesn't provide a way to update the backend. Then my project would be a simple application based on this Auth.* API. But then I wonder if those different backends provide ways to be updated via Perl. For instance the POP3 backend is easy to query but doesn't provide a way to update it. Perhaps I look more into expanding the existing modules to allow updateing of the data in a consisten manner, and then build my application/module on top of that. I could always start with just a single DBI based driver layer and let others expand it to other auth.* systems ___________ Eric Hodges	[reply]

Replies are listed 'Best First'.

Re^2: RFC: Authentication/Authorization System
by eric256 (Parson) on Jul 19, 2006 at 22:20 UTC

The more I look at this the more it seems like we need a DBI-esq (as in a general API with several backends) for querying AND maintaining user/role/group data. Authen::Simple is half way there with the query interface but it doesn't provide a way to update the backend. Then my project would be a simple application based on this Auth.* API. But then I wonder if those different backends provide ways to be updated via Perl. For instance the POP3 backend is easy to query but doesn't provide a way to update it.

Perhaps I look more into expanding the existing modules to allow updateing of the data in a consisten manner, and then build my application/module on top of that.

I could always start with just a single DBI based driver layer and let others expand it to other auth.* systems

___________
Eric Hodges

[reply]