Shibboleth Developers

["Spencer W. Thomas" <>]

Chiming in here, a little late, as a SP developer.

Our authn/z uses the filter approach (in Java -- our perl definitely
follows the programmatic approach for authz, with some authn mixed in
for the IP case.)  The filter approach provides the cleanest separation
, and allows development of simple apps (for which authz is either "yes"
or "no") to be totally innocent of any authn/z knowledge.  For these
apps, the filter denies access if the user is not authz.  Even
authz-aware apps don't have to deal with the unauthz case, and can focus
on application-specific authz processing.

Where an API is good, is in providing a way of getting at the
information that the filter has deposited in the request/session.  It
can be pretty thin, just hiding the attribute names, or it can be
thicker where there is a need for commonality of function in the client.

=Spencer