httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 42079] - SSLRequire: Additional access in sub-directoies
Date Thu, 12 Apr 2007 15:01:07 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42079>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42079





------- Additional Comments From somme@slb.com  2007-04-12 08:01 -------
(In reply to comment #1)
> As we discussed in 41911, you can achieve the objective by url rewriting.
> I still believe that if there is a restriction on subdir1 then subdir1/subdir2
> can not bypass that restriction. It seems counter intuitive to me. I think that
> in most of the cases, rearranging the subdirectories and url rewriting will solve
> the issue.


Well, what's intuitive for a person is always a subjective thing.

I my case I have a structure that I have used for 10 years (!) where I want
to migrate just the authentication protocol to using client certs (from the 
use of LDAP and standard user/group authentication). It consists of thousands 
of subdirectories where today 462 subdirectories all need individual/unique 
access rights (a combination of 275 individual users).

To me it is intuitive that I can use the same directory structure independent 
of authentication protocol. Using LDAP and/or user/group access had no 
limitations.

To me it is also intuitive that you gain improved security by first restricting 
*all* access to the whole web server and then open up where you want. Using 
the reverse approach you need to remember to restrict access to all nodes 
where you don't want access. People will tell you loudly if they don't get 
the access they expect but they will never tell you if they have too much access.

Any feedback is appreciated.
Thanks.




-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message