Page 2 of 2

Posted: Fri Sep 01, 2006 2:15 pm
by Ambush Commander
Hmm... push versus pull. My idea is that the authenticator passes off as much data (not just a bool of whether or not they authenticated) to the authorizor, but the authorizor could manage the creation of the authenticator and add those stipulations so it ends up with a boolean answer.

Which seems more natural to you?

Posted: Fri Sep 01, 2006 2:24 pm
by Weirdan
What do you mean, can you prove it???
Scenario #1 (simple 1d auth)
Server asks: Who you are?
I respond: I'm Bruce Weirdan.
Server asks: Can you prove that?
I respond: Yeah, of course. I know the password only Bruce knows (here it is: '********'), thus, rest assured, me is him.
*Server checks the data*
Server respond: Welcome, Bruce!

Scenario #2 (classic 3d auth)
Server asks: Who you are?
I respond: I'm Bruce Weirdan.
Server asks: Can you prove that?
I respond: Yeah, of course. I know the password only Bruce knows (here it is: '*********'), I have the hardware token issued to him (*inserting the token into the reader*), moreover, here is my retinal scan (*opening the eye for scanner to scan*) you could check against your database, thus, rest assured, me is him.
*Server checks the data*
Server respond: Welcome, Bruce!

Scenario #3 (delegated auth)
Server asks: Who you are?
I respond: I'm Bruce Weirdan.
Server asks: Can you prove that?
I respond: Yeah, of course. There's an authority you trust, they know me and could confirm my identity, thus, rest assured, me is him.
*Server asks the authority*
Server respond: Welcome, Bruce!

... and so on.

Posted: Fri Sep 01, 2006 2:35 pm
by Weirdan
Which seems more natural to you?
I prefer declarative interface, so instead of writing something like this:

Code: Select all

if($auth->isLoggedIn() && $auth->hasPrivilege(VIEW_TOP_SECRET_STUFF)) {
   // show top secret stuff
}
I would rather use something along the lines of:

Code: Select all

restricted_area();
required_privilege(VIEW_TOP_SECRET_STUFF);
// show top secret stuff
It's pretty inflexible, yet clear and simple.

Posted: Fri Sep 01, 2006 2:43 pm
by alex.barylski
It's pretty inflexible, yet clear and simple.
Inflexible yes...clear...is debateable...simple is relative...so is an imperative approach to solving this problem...both are easy to understand when giving the context of the section of code, but without that, the former makes much more sense...

Cheers :)

Posted: Fri Sep 01, 2006 2:48 pm
by Weirdan
but without that, the former makes much more sense...
Debatable as well :D