The first thing you have to consider is complexity and manageability. Do you have lots of users with lots of different URI allowances, with lots of URIs to work with, or is there some limited number of URI "groups" and/or some pattern to the users that present a certificate? For example, if you had 1000 users that had 1000 different combinations of URI allowances, who would want to have to manage that list? The next question is what do you want to do if a user presents a request that they are not allowed to get (based on your data group search)? Would you want to simply reject the connection, redirect them to a sorry page or some other page in the site, or send some static HTML?
Nimbostratus
