I think this is a good idea, since the alternative is for individual
applications to have their own configuration scheme for common
access-control options, which could lead to configuration chaos. The
only risk here is adding bloat to the framework. But the benefit is
that if we take care of the most common use-cases then for many users
we can dispense with the need for an access-control proxy server. I
think that will make people's lives easier in the long-run, so I vote
yes. I'd be interested to hear other people's thoughts on this,
though.
Another benefit to moving access-control into the framework is that
you could provide a single access-denied URL for all applications in
an installation, e.g. redirect to a log-in page.
I think it would be nice to support access-control plug-ins of some
sort so that you could just drop a plug-in into a CB installation and
be able to apply its custom configuration options to a set of existing
applications. E.g. checking a single-sign-on cookie or something.
There might be some subtleties in defining the order in which
access-control options or plug-ins are invoked.
By the way there was a patch recently implementing client-certificate
checking in cb_admin, you might want to check it out and see if it
makes sense to implement in CB:
http://groups.google.com/group/chicagoboss/browse_thread/thread/cbc175598276d60f/f4fa184dbacb8ef6