httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chr...@apache.org
Subject svn commit: r709841 - in /httpd/httpd/trunk/docs: conf/ manual/ manual/howto/ manual/mod/
Date Sun, 02 Nov 2008 04:28:04 GMT
Author: chrisd
Date: Sat Nov  1 21:28:02 2008
New Revision: 709841

URL: http://svn.apache.org/viewvc?rev=709841&view=rev
Log:
Documentation revisions for r709838 and r709839.

Removed:
    httpd/httpd/trunk/docs/manual/mod/mod_authn_default.xml
    httpd/httpd/trunk/docs/manual/mod/mod_authz_default.xml
Modified:
    httpd/httpd/trunk/docs/conf/httpd.conf.in
    httpd/httpd/trunk/docs/manual/howto/auth.xml
    httpd/httpd/trunk/docs/manual/mod/mod_access_compat.xml
    httpd/httpd/trunk/docs/manual/mod/mod_auth_basic.xml
    httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml
    httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml
    httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
    httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml
    httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml
    httpd/httpd/trunk/docs/manual/new_features_2_4.xml

Modified: httpd/httpd/trunk/docs/conf/httpd.conf.in
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/httpd.conf.in?rev=709841&r1=709840&r2=709841&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/conf/httpd.conf.in (original)
+++ httpd/httpd/trunk/docs/conf/httpd.conf.in Sat Nov  1 21:28:02 2008
@@ -154,17 +154,6 @@
     # Controls who can get stuff from this server.
     #
     Require all granted
-
-    #
-    # <Directory> and <Location> directives inherit their parent's authorization
-    # rules and applies them using AND logic instead of the previous OR logic of
-    # Apache 2.2 and before.  To disable the merging of these rules use
-    # "AuthzMergeRules Off".
-    #
-    # This prevents the "Require all denied" rule in "<Directory />" above
-    # from being included in this directory's configuration.
-    #
-    AuthzMergeRules Off
 </Directory>
 
 #

Modified: httpd/httpd/trunk/docs/manual/howto/auth.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/howto/auth.xml?rev=709841&r1=709840&r2=709841&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/howto/auth.xml (original)
+++ httpd/httpd/trunk/docs/manual/howto/auth.xml Sat Nov  1 21:28:02 2008
@@ -54,7 +54,6 @@
       <li><module>mod_authn_anon</module></li>
       <li><module>mod_authn_dbd</module></li>
       <li><module>mod_authn_dbm</module></li>
-      <li><module>mod_authn_default</module></li>
       <li><module>mod_authn_file</module></li>
       <li><module>mod_authnz_ldap</module></li>
     </ul>
@@ -65,7 +64,6 @@
       <li><module>mod_authnz_ldap</module></li>
       <li><module>mod_authz_dbd</module></li>
       <li><module>mod_authz_dbm</module></li>
-      <li><module>mod_authz_default</module></li>
       <li><module>mod_authz_groupfile</module></li>
       <li><module>mod_authz_host</module></li>
       <li><module>mod_authz_owner</module></li>
@@ -430,12 +428,14 @@
     &lt;/Directory&gt;
     </example>
 
-    <p>To take authorization a little further, the directives
-    <directive module="mod_authz_core">&lt;SatisfyAll&gt;</directive> and
-    <directive module="mod_authz_core">&lt;SatisfyOne&gt;</directive> allow
-    AND/OR logic to be applied so that the order in which authorization
-    is handled can be completely controled through the configuration. See
-    these directives for a complete example on they can be applied.</p>
+    <p>To take authorization a little further, authorization container
+    directives such as
+    <directive module="mod_authz_core" type="section">MatchAll</directive> and
+    <directive module="mod_authz_core" type="section">MatchAny</directive>
+    allow logic to be applied so that the order in which authorization
+    is handled can be completely controled through the configuration.
+    See <a href="../mod/mod_authz_core.html#logic">Authorization
+    Containers</a> for an example of they may be applied.</p>
 
 </section>
 
@@ -445,75 +445,61 @@
     than just a single check against a single data store. Ordering, logic
     and choosing how authorization will be done is now possible.</p>
 
-    <section id="authandororder"><title>Applying AND/OR logic and ordering</title>
+    <section id="authandororder"><title>Applying logic and ordering</title>
         <p>Controling how and in what order authorization will be applied
-        has been a bit of a mystery in the past. In Apache 2.2 a provider based
+        has been a bit of a mystery in the past. In Apache 2.2 a provider-based
         authentication mechanism was introduced to decouple the actual 
         authentication process from authorization and supporting functionality.
         One of the side benefits was that authentication providers could be
         configured and called in a specific order which didn't depend on the 
         load order of the auth module itself. This same provider based mechanism 
         has been brought forward into authorization as well. What this means is 
-        that the <directive module="mod_authz_core">Require</directive> directive 
-        not only specifies which authorization methods should be used, it also 
+        that the <directive module="mod_authz_core">Require</directive> and
+        <directive module="mod_authz_core">Match</directive> directives
+        not only specify which authorization methods should be used, they also 
         specifies the order in which they are called. Multiple authorization 
         methods are called in the same order in which the 
-        <directive module="mod_authz_core">Require</directive> directives appear 
-        in the configuration.</p>
-
-        <p>With the introduction of the directives 
-        <directive module="mod_authz_core">&lt;SatisfyAll&gt;</directive> and 
-        <directive module="mod_authz_core">&lt;SatisfyOne&gt;</directive>, the 
-        configuration also has control over when the
+        <directive module="mod_authz_core">Require</directive>
+        or <directive module="mod_authz_core">Match</directive> directives
+        appear in the configuration.</p>
+
+        <p>With the introduction of authorization container directives
+        such as
+        <directive module="mod_authz_core" type="section">MatchAll</directive>
+        and 
+        <directive module="mod_authz_core" type="section">MatchAny</directive>,
+        the configuration also has control over when the
         authorization methods are called and what criteria determines when 
-        access is granted. For example the following authorization block would 
-        apply the logic:</p>
-
-        <example>
-          # if ((user == "John") ||<br />
-          # &nbsp;&nbsp; ((Group == "admins")<br />
-          # &nbsp; &nbsp; &amp;&amp; (ldap-group &lt;ldap-object&gt; contains auth'ed_user)<br />
-          # &nbsp; &nbsp; &amp;&amp; ((ldap-attribute dept == "sales")<br />
-          # &nbsp; &nbsp; &nbsp; &nbsp; || (file-group contains auth'ed_user))))<br />
-          # then<br />
-          # &nbsp; auth_granted<br />
-          # else<br />
-          # &nbsp; auth_denied<br />
-          #<br />
-          &lt;Directory /www/mydocs&gt;<br />
-          <indent>
-            Authname ...<br />
-            AuthBasicProvider ...<br />
-            ...<br />
-            Require user John<br />
-            &lt;SatisfyAll&gt;<br />
-            <indent>
-              Require Group admins<br />
-              Require ldap-group cn=mygroup,o=foo<br />
-              &lt;SatisfyOne&gt;<br />
-              <indent>
-                Require ldap-attribute dept="sales"<br />
-                Require file-group<br />
-              </indent>
-              &lt;/SatisfyOne&gt;<br />
-            </indent>
-            &lt;/SatisfyAll&gt;<br />
-          </indent>
-          &lt;/Directory&gt;
-        </example>
-
-        <p>By default all <directive module="mod_authz_core">Require</directive> 
-        directives are handled through an OR operation. In other words, if 
+        access is granted.  See
+        <a href="../mod/mod_authz_core.html#logic">Authorization Containers</a>
+        for an example of how they may be used to express complex
+        authorization logic.</p>
+
+        <p>By default all
+        <directive module="mod_authz_core">Require</directive> 
+        directives are handled as though contained within a
+        <directive module="mod_authz_core" type="section">MatchAny</directive>
+        container directive.  In other words, if 
         any of the specified authorization methods succeed, then authorization 
-        is granted. By enclosing a set of 
-        <directive module="mod_authz_core">Require</directive> directives within
-        a <directive module="mod_authz_core">&lt;SatisfyAll&gt;</directive> block,
-        the processing switches to an AND operation which requires all authorization 
-        methods to succeed before authorization is granted.</p>
+        is granted.</p>
+
+        <p>In contrast, by default all
+        <directive module="mod_authz_core">Match</directive> directives
+        are handled as though contained within a
+        <directive module="mod_authz_core" type="section">MatchAll</directive>
+        container directive (unless they are explicitly contained within
+        a different authorization container directive).
+        This permits
+        <directive module="mod_authz_core">Match</directive> directives
+        to be usefully mixed with negated
+        <code>Match not</code> directives.  To authorize the request,
+        none of the negated directives can match their parameters,
+        while all of the positive directives must match their
+        parameters (or else return a neutral result).</p>
 
     </section>
 
-    <section id="reqaccessctrl"><title>Using 'Require' or 'Reject' for access control</title>
+    <section id="reqaccessctrl"><title>Using authorization providers for access control</title>
         <p>Authentication by username and password is only part of the
         story. Frequently you want to let people in based on something
         other than who they are. Something such as where they are
@@ -526,10 +512,10 @@
         ip</directive> let you allow or deny access based other host based
         criteria such as host name or ip address of the machine requesting 
         a document.</p> 
-    
+
         <p>The usage of these providers is specified through the 
         <directive module="mod_authz_core">Require</directive> and 
-        <directive module="mod_authz_core">Reject</directive> directives.
+        <directive module="mod_authz_core">Match</directive> directives.
         These directives register the authorization providers
         that will be called during the authorization stage of the request
         processing. For example:</p>
@@ -554,7 +540,7 @@
         following:</p>
     
         <example>
-          Reject ip 10.252.46.165
+          Match not ip 10.252.46.165
         </example>
     
         <p>Visitors coming from that address will not be able to see
@@ -562,30 +548,33 @@
         machine name, rather than an IP address, you can use that.</p>
     
         <example>
-          Reject host <var>host.example.com</var>
+          Match not host <var>host.example.com</var>
         </example>
     
         <p>And, if you'd like to block access from an entire domain,
         you can specify just part of an address or domain name:</p>
     
         <example>
-          &lt;SatisfyAll&gt;<br />
+          Match all granted<br />
+          &lt;MatchNotAny&gt;
           <indent>
-            Reject ip <var>192.168.205</var><br />
-            Reject host <var>phishers.example.com</var> <var>moreidiots.example</var><br />           Reject host ke<br />
+            Match ip 192.168.205<br />
+            Match host phishers.example.com moreidiots.example<br />
+            Match host ke
           </indent>
-          &lt;/SatisfyAll&gt;
+          &lt;/MatchNotAny&gt;
         </example>
     
-        <p>Using the <directive module="mod_authz_host">Reject</directive> directive
-        inside of a <directive module="mod_authz_core">&lt;SatisfyAll&gt;</directive>
-        block, will let you be sure that you are actually restricting things to 
-        only the group that you want to let in.</p>
-    
-        <p>The above example uses the <directive module="mod_authz_core">
-        &lt;SatisfyAll&gt;</directive> block to make sure that all of the 
-        <directive module="mod_authz_host">Reject</directive> directives are 
-        satisfied before granting access. </p>
+        <p>The above example uses the <directive module="mod_authz_core"
+        type="section">MatchNotAny</directive> container directive
+        to make sure that none of the 
+        <directive module="mod_authz_host">Match</directive> directives
+        match their parameters before granting access.  Note that
+        the <code>Match all granted</code> directive and the
+        <directive module="mod_authz_core"
+        type="section">MatchNotAny</directive> are implicitly contained
+        within a <directive module="mod_authz_core"
+        type="section">MatchAll</directive> directive.</p>
     
     </section>
 
@@ -598,23 +587,6 @@
         <directive module="mod_access_compat">Satisfy</directive> are no longer needed. 
         However to provide backwards compatibility for older configurations, these 
         directives have been moved to the <module>mod_access_compat</module> module.</p>
-
-        <p>One of the problems with these directives was that the line between
-        authorization and access control was very fuzzy. The 
-        <directive module="mod_access_compat">Satisfy</directive> directive
-        tried to tie these two stages together by hooking itself into the 
-        request processing itself. Now that these directive have been moved to the
-        <module>mod_access_compat</module>, mixing the new authorization directives
-        with the older access control directives becomes difficult. To address this
-        issue, the <module>mod_authz_default</module> module becomes very important and must
-        be loaded. The main purpose of the <module>mod_authz_default</module> module is 
-        to handle any authorization requests that could not be handled by the 
-        authorization providers. But when the older access control directives are used, 
-        it also links access control with authorization and determines if access 
-        should be granted based on the outcome of each stage. Therefore if the 
-        older directives do not seem to be working properly, it might be because the
-        <module>mod_authz_default</module> module has not been loaded.</p>
-
     </section>
 
 </section>

Modified: httpd/httpd/trunk/docs/manual/mod/mod_access_compat.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_access_compat.xml?rev=709841&r1=709840&r2=709841&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_access_compat.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_access_compat.xml Sat Nov  1 21:28:02 2008
@@ -60,9 +60,7 @@
     <note type="warning"><title>Note</title>
       <p>The directives provided by <module>mod_access_compat</module> have
       been deprecated by the new authz refactoring. Please see 
-      <module>mod_authz_host</module>.  The module 
-      <module>mod_authz_default</module> must also be loaded to provide for
-      default authorization handling.</p>
+      <module>mod_authz_host</module>.</p>
     </note>
 
     <p>In general, access restriction directives apply to all

Modified: httpd/httpd/trunk/docs/manual/mod/mod_auth_basic.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_auth_basic.xml?rev=709841&r1=709840&r2=709841&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_auth_basic.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_auth_basic.xml Sat Nov  1 21:28:02 2008
@@ -41,10 +41,7 @@
 <seealso><directive module="mod_authn_core">AuthName</directive></seealso>
 <seealso><directive module="mod_authn_core">AuthType</directive></seealso>
 <seealso><directive module="mod_authz_core">Require</directive></seealso>
-<seealso><directive module="mod_authz_core">Reject</directive></seealso>
-<seealso><directive module="mod_access_compat">Satisfy</directive> (Deprecated)</seealso>
-<seealso><directive module="mod_authz_core">&lt;SatisfyAll&gt;</directive></seealso>
-<seealso><directive module="mod_authz_core">&lt;SatisfyOne&gt;</directive></seealso>
+<seealso><directive module="mod_authz_core">Match</directive></seealso>
 <seealso><a href="../howto/auth.html">Authentication howto</a></seealso>
 
 <directivesynopsis>

Modified: httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml?rev=709841&r1=709840&r2=709841&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml Sat Nov  1 21:28:02 2008
@@ -38,6 +38,7 @@
 <seealso><directive module="mod_authn_core">AuthName</directive></seealso>
 <seealso><directive module="mod_authn_core">AuthType</directive></seealso>
 <seealso><directive module="mod_authz_core">Require</directive></seealso>
+<seealso><directive module="mod_authz_core">Match</directive></seealso>
 <seealso><a href="../howto/auth.html">Authentication howto</a></seealso>
 
 <section id="using"><title>Using Digest Authentication</title>

Modified: httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml?rev=709841&r1=709840&r2=709841&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_auth_form.xml Sat Nov  1 21:28:02 2008
@@ -60,10 +60,7 @@
 <seealso><directive module="mod_authn_core">AuthName</directive></seealso>
 <seealso><directive module="mod_authn_core">AuthType</directive></seealso>
 <seealso><directive module="mod_authz_core">Require</directive></seealso>
-<seealso><directive module="mod_authz_core">Reject</directive></seealso>
-<seealso><directive module="mod_access_compat">Satisfy</directive> (Deprecated)</seealso>
-<seealso><directive module="mod_authz_core">&lt;SatisfyAll&gt;</directive></seealso>
-<seealso><directive module="mod_authz_core">&lt;SatisfyOne&gt;</directive></seealso>
+<seealso><directive module="mod_authz_core">Match</directive></seealso>
 <seealso><a href="../howto/auth.html">Authentication howto</a></seealso>
 
     <section id="basicconfig"><title>Basic Configuration</title>

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml?rev=709841&r1=709840&r2=709841&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml Sat Nov  1 21:28:02 2008
@@ -37,7 +37,7 @@
     usually used in conjunction with an authentication
     provider module such as <module>mod_authn_file</module> and an 
     authorization module such as <module>mod_authz_user</module>. It
-    also allows for "AND" and "OR" logic to be applied to the 
+    also allows for advanced logic to be applied to the 
     authorization processing.</p>
 </summary>
 
@@ -45,7 +45,8 @@
 
     <p>Extended authorization providers can be created within the configuration
     file and assigned an alias name.  The alias providers can then be referenced
-    through the <directive module="mod_authz_core">Require</directive> directive
+    through the <directive module="mod_authz_core">Require</directive> and
+    <directive module="mod_authz_core">Match</directive> directives
     in the same way as a base authorization provider.  Besides the ability to
     create and alias an extended provider, it also allows the same extended
     authorization provider to be reference by multiple locations.
@@ -59,13 +60,13 @@
         </p>
     
         <example><title>Example</title>
-          &lt;RequireAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx&gt;<br />
+          &lt;AuthzProviderAlias ldap-group ldap-group-alias1 cn=my-group,o=ctx&gt;<br />
           <indent>
              AuthLDAPBindDN cn=youruser,o=ctx<br />
              AuthLDAPBindPassword yourpassword<br />
              AuthLDAPURL ldap://ldap.host/o=ctx<br />
           </indent> 
-          &lt;/RequireAlias&gt;<br /><br /> 
+          &lt;/AuthzProviderAlias&gt;<br /><br /> 
           &lt;AuthnProviderAlias ldap-group ldap-group-alias2
            cn=my-other-group,o=dev&gt;<br />
           <indent>
@@ -73,7 +74,7 @@
              AuthLDAPBindPassword yourotherpassword<br />
              AuthLDAPURL ldap://other.ldap.host/o=dev?cn<br />
           </indent> 
-          &lt;/RequireAlias&gt;<br /><br />
+          &lt;/AuthzProviderAlias&gt;<br /><br />
     
           Alias /secure /webpages/secure<br />
           &lt;Directory /webpages/secure&gt;<br />
@@ -95,19 +96,72 @@
 
 </section>
 
+<section id="logic"><title>Authorization Containers</title>
+
+    <p>The authorization container directives
+    <directive module="mod_authz_core" type="section">MatchAll</directive>,
+    <directive module="mod_authz_core" type="section">MatchAny</directive>,
+    <directive module="mod_authz_core" type="section">MatchNotAll</directive>
+    and
+    <directive module="mod_authz_core" type="section">MatchNotAny</directive>
+    may be combined with each other and with the
+    <directive module="mod_authz_core">Match</directive>
+    directive to express complex authorization logic.</p>
+
+    <p>The example below expresses the following authorization logic.
+    In order to access the resource, the user must either be the
+    <code>superadmin</code> user, or belong to both the
+    <code>admins</code> group and the <code>Administrators</code> LDAP
+    group and either belong to the <code>sales</code> group or
+    have the LDAP <code>dept</code> attribute <code>sales</code>.
+    Furthermore, in order to access the resource, the user must
+    not belong to either the <code>temps</code> group or the
+    LDAP group <code>Temporary Employees</code>.</p>
+
+    <example>
+        &lt;Directory /www/mydocs&gt;
+        <indent>
+            &lt;MatchAny&gt;
+            <indent>
+                Match user superadmin<br />
+                &lt;MatchAll&gt;
+                <indent>
+                    Match group admins<br />
+                    Match ldap-group cn=Administrators,o=Airius<br />
+                    &lt;MatchAny&gt;
+                    <indent>
+                        Match group sales<br />
+                        Match ldap-attribute dept="sales"
+                    </indent>
+                    &lt;/MatchAny&gt;
+                </indent>
+                &lt;/MatchAll&gt;
+            </indent>
+            &lt;/MatchAny&gt;<br />
+            &lt;MatchNotAny&gt;
+            <indent>
+                Match group temps<br />
+                Match ldap-group cn=Temporary Employees,o=Airius
+            </indent>
+            &lt;/MatchNotAny&gt;
+        </indent>      
+        &lt;/Directory&gt;
+    </example>
+</section>
+
 <directivesynopsis>
 <name>Require</name>
-<description>Selects which authenticated users can access
-a resource</description>
+<description>Tests whether an authenticated user is authorized by
+an authorization provider.</description>
 <syntax>Require <var>entity-name</var> [<var>entity-name</var>] ...</syntax>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>
 
 <usage>
-    <p>This directive selects which authenticated users can access a
-    resource.  The restrictions are processed by authorization
-    modules.  Some of the allowed syntaxes provided by
+    <p>This directive tests whether an authenticated user is authorized
+    according to a particular authorization provider and the specified
+    restrictions.  Some of the allowed syntaxes provided by
     <module>mod_authz_user</module> and
     <module>mod_authz_groupfile</module> are:</p>
 
@@ -156,168 +210,331 @@
     place the <directive>Require</directive> statement into a
     <directive module="core" type="section">Limit</directive>
     section.</p>
- 
+
+    <p>When multiple <directive>Require</directive> directives are
+    used in a single
+    <a href="../sections.html#mergin">configuration section</a>,
+    the first one to authorize a user authorizes the entire request,
+    and subsequent <directive>Require</directive> directives are
+    ignored.  In other words, all <directive>Require</directive> directives
+    are enclosed in an implied <directive module="mod_authz_core"
+    type="section">MatchAny</directive> directive.</p>
+
+    <note><directive>Require</directive> directives may not be combined
+    with the <directive module="mod_authz_core">Match</directive> directive
+    or any authorization container directives, such as
+    <directive module="mod_authz_core"
+    type="section">MatchAll</directive>.</note>
 </usage>
 
 <seealso><a href="../howto/auth.html">Authentication, Authorization,
     and Access Control</a></seealso> 
+<seealso><module>mod_authn_core</module></seealso>
 <seealso><module>mod_authz_host</module></seealso>
 </directivesynopsis>
 
 <directivesynopsis>
-<name>Reject</name>
-<description>Rejects authenticated users or host based 
-requests from accessing a resource</description>
-<syntax>Reject <var>entity-name</var> [<var>entity-name</var>] ...</syntax>
+<name>Match</name>
+<description>Tests whether an authenticated user is authorized by
+an authorization provider.</description>
+<syntax>Match [not] <var>entity-name</var>
+[<var>entity-name</var>] ...</syntax>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>
 
 <usage>
-    <p>This directive is similar to the 
-    <directive module="mod_authz_core">Require</directive> directive however
-    it rejects which authenticated users or host based requests from accessing a resource.  The 
-    restrictions are processed by authorization modules.  See the 
-    <directive module="mod_authz_core">Require</directive> directive for details 
-    about usage.</p>
+    <p>This directive is similar to the
+    <directive module="mod_authz_core">Require</directive> directive;
+    it tests whether an authenticated user is authorized according to
+    a particular authorization provider and the specified restrictions.</p>
+
+    <p>Unlike the <directive module="mod_authz_core">Require</directive>
+    directive, it may be used with and inside authorization container
+    directives such as
+    <directive module="mod_authz_core" type="section">MatchAll</directive>.</p>
+
+    <p>Furthermore, its result may be negated through the use of the
+    <code>not</code> option.  As with other negated authorization directives,
+    in this case the <directive>Match</directive> directive may only
+    either fail or return a neutral result, and can therefore never
+    independently authorize a request.</p>
+
+    <p>In the following example, all users in the <code>alpha</code>
+    and <code>beta</code> groups are authorized, except for those who
+    are also in the <code>reject</code> group.</p>
+
+    <example>
+        &lt;Directory /www/docs&gt;
+        <indent>
+            Match group alpha beta<br />
+            Match not group reject
+        </indent>
+        &lt;/Directory&gt;
+    </example>
+
+    <p>When multiple <directive>Match</directive> directives are
+    used in a single
+    <a href="../sections.html#mergin">configuration section</a>
+    and are not contained in another authorization directive like
+    <directive module="mod_authz_core" type="section">MatchAny</directive>,
+    they are implicitly contained within a
+    <directive module="mod_authz_core" type="section">MatchAll</directive>
+    directive.  Thus for the user to be authorized, all such
+    <directive>Match</directive> directives must not fail, and
+    at least one must be successful.</p>
+
+    <note><directive>Match</directive> directives may not be combined
+    with the <directive module="mod_authz_core">Require</directive>
+    directive.</note>
 </usage>
 
+<seealso><directive module="mod_authz_core">Require</directive></seealso>
+<seealso><a href="#logic">Authorization Containers</a></seealso>
 <seealso><a href="../howto/auth.html">Authentication, Authorization,
     and Access Control</a></seealso> 
-<seealso><module>mod_authz_host</module></seealso>
 </directivesynopsis>
 
 <directivesynopsis type="section">
-<name>SatisfyAll</name>
-<description>Enclose a group of authorization directives that must all
-be satisfied in order to grant access to a resource.  This block allows
-for 'AND' logic to be applied to various authorization providers.</description>
-<syntax>&lt;SatisfyAll&gt;
-... &lt;/SatisfyAll&gt;</syntax>
+<name>MatchAll</name>
+<description>Enclose a group of authorization directives of which none
+must fail and at least one must succeed for the enclosing directive to
+succeed.</description>
+<syntax>&lt;MatchAll&gt;
+... &lt;/MatchAll&gt;</syntax>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>
 
 <usage>
-    <p><directive type="section">SatisfyAll</directive> and
-    <code>&lt;/SatisfyAll&gt;</code> are used to enclose a group of
-    authorization directives that must all be satisfied in order to 
-    grant access to a resource.</p>
-
-    <p>The <directive module="mod_authz_core">
-    &lt;SatisfyAll&gt;</directive> block as well as the 
-    <directive module="mod_authz_core">&lt;SatisfyOne&gt;</directive> block 
-    allow you to apply "AND" and "OR" logic to the authorization processing. 
-    For example the following authorization block would apply the logic:</p>
+    <p><directive type="section">MatchAll</directive> and
+    <code>&lt;/MatchAll&gt;</code> are used to enclose a group of
+    authorization directives of which none must fail and at least one
+    must succeed in order for
+    the <directive type="section">MatchAll</directive> directive to
+    succeed.</p>
+
+    <p>If none of the directives contained within the
+    <directive type="section">MatchAll</directive> directive fails,
+    and at least one succeeds, then the
+    <directive type="section">MatchAll</directive> directive
+    succeeds.  If none succeed and none fail, then it returns a
+    neutral result.  In all other cases, it fails.</p>
+</usage>
 
-    <example>
-      # if ((user == "John") ||<br />
-      # &nbsp;&nbsp; ((Group == "admin")<br />
-      # &nbsp; &nbsp; &amp;&amp; (ldap-group &lt;ldap-object&gt; contains auth'ed_user)<br />
-      # &nbsp; &nbsp; &amp;&amp; ((ldap-attribute dept == "sales")<br />
-      # &nbsp; &nbsp; &nbsp; &nbsp; || (file-group contains auth'ed_user))))<br />
-      # then<br />
-      # &nbsp; auth_granted<br />
-      # else<br />
-      # &nbsp; auth_denied<br />
-      #<br />
-      &lt;Directory /www/mydocs&gt;<br />
-      <indent>
-        Authname ...<br />
-        AuthBasicProvider ...<br />
-        ...<br />
-        Require user John<br />
-        &lt;SatisfyAll&gt;<br />
-        <indent>
-          Require Group admins<br />
-          Require ldap-group cn=mygroup,o=foo<br />
-          &lt;SatisfyOne&gt;<br />
-          <indent>
-            Require ldap-attribute dept="sales"<br />
-            Require file-group<br />
-          </indent>
-          &lt;/SatisfyOne&gt;<br />
-        </indent>
-        &lt;/SatisfyAll&gt;<br />
-      </indent>
-      &lt;/Directory&gt;
-    </example>
+<seealso><a href="#logic">Authorization Containers</a></seealso>
+<seealso><a href="../howto/auth.html">Authentication, Authorization,
+    and Access Control</a></seealso> 
+
+</directivesynopsis>
+
+<directivesynopsis type="section">
+<name>MatchAny</name>
+<description>Enclose a group of authorization directives of which one
+must succeed for the enclosing directive to succeed.</description>
+<syntax>&lt;MatchAny&gt;
+... &lt;/MatchAny&gt;</syntax>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+
+<usage>
+    <p><directive type="section">MatchAny</directive> and
+    <code>&lt;/MatchAny&gt;</code> are used to enclose a group of
+    authorization directives of which one must succeed in order for
+    the <directive type="section">MatchAny</directive> directive to
+    succeed.</p>
+
+    <p>If one or more of the directives contained within the
+    <directive type="section">MatchAny</directive> directive succeed,
+    then the <directive type="section">MatchAny</directive> directive
+    succeeds.  If none succeed and none fail, then it returns a
+    neutral result.  In all other cases, it fails.</p>
+
+    <note>Because negated authorization directives are unable to
+    return a successful result, they can not significantly influence
+    the result of a <directive type="section">MatchAny</directive>
+    directive.  (At most they could cause the directive to fail in
+    the case where they failed and all other directives returned a
+    neutral value.)  Therefore negated authorization directives
+    are not permitted within a <directive type="section">MatchAny</directive>
+    directive.</note>
 </usage>
 
+<seealso><a href="#logic">Authorization Containers</a></seealso>
 <seealso><a href="../howto/auth.html">Authentication, Authorization,
     and Access Control</a></seealso> 
 
 </directivesynopsis>
 
 <directivesynopsis type="section">
-<name>SatisfyOne</name>
-<description>Enclose a group of authorization directives that must 
-satisfy at least one in order to grant access to a resource.  This 
-block allows for 'OR' logic to be applied to various authorization 
-providers.</description>
-<syntax>&lt;SatisfyOne&gt;
-... &lt;/SatisfyOne&gt;</syntax>
+<name>MatchNotAll</name>
+<description>Enclose a group of authorization directives of which some
+must fail or none must succeed for the enclosing directive to
+not fail.</description>
+<syntax>&lt;MatchNotAll&gt;
+... &lt;/MatchNotAll&gt;</syntax>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>
 
 <usage>
-    <p><directive type="section">SatisfyOne</directive> and
-    <code>&lt;/SatisfyOne&gt;</code> are used to enclose a group of
-    authorization directives that must satisfy at least one in order to 
-    grant access to a resource.</p>
+    <p><directive type="section">MatchNotAll</directive> and
+    <code>&lt;/MatchNotAll&gt;</code> are used to enclose a group of
+    authorization directives of which some must fail or none must succeed
+    in order for the
+    <directive type="section">MatchNotAll</directive> directive to
+    not fail.</p>
+
+    <p>If none of the directives contained within the
+    <directive type="section">MatchNotAll</directive> directive
+    fail, and one or more succeed, then the
+    <directive type="section">MatchNotAll</directive> directive fails.
+    In all other cases, it returns a neutral result.  Thus as with
+    the other negated authorization directives, it can never independently
+    authorize a request because it can never return a successful result.
+    It can be used, however, to restrict the set of users who are
+    authorized to access a resource.</p>
+</usage>
 
-    <p>See the <directive module="mod_authz_core">
-    &lt;SatisfyAll&gt;</directive> directive for a usage example.</p>
+<seealso><a href="#logic">Authorization Containers</a></seealso>
+<seealso><a href="../howto/auth.html">Authentication, Authorization,
+    and Access Control</a></seealso> 
+
+</directivesynopsis>
+
+<directivesynopsis type="section">
+<name>MatchNotAny</name>
+<description>Enclose a group of authorization directives of which none
+none must succeed for the enclosing directive to not fail.</description>
+<syntax>&lt;MatchNotAny&gt;
+... &lt;/MatchNotAny&gt;</syntax>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
 
+<usage>
+    <p><directive type="section">MatchNotAny</directive> and
+    <code>&lt;/MatchNotAny&gt;</code> are used to enclose a group of
+    authorization directives of which none must succeed
+    in order for the
+    <directive type="section">MatchNotAny</directive> directive to
+    not fail.</p>
+
+    <p>If one or more of the directives contained within the
+    <directive type="section">MatchNotAny</directive> directive succeed,
+    then the <directive type="section">MatchNotAny</directive> directive
+    fails.  In all other cases, it returns a neutral result.  Thus as with
+    the other negated authorization directives, it can never independently
+    authorize a request because it can never return a successful result.
+    It can be used, however, to restrict the set of users who are
+    authorized to access a resource.</p>
+
+    <note>Because negated authorization directives are unable to
+    return a successful result, they can not significantly influence
+    the result of a <directive type="section">MatchNotAny</directive>
+    directive.  Therefore negated authorization directives
+    are not permitted within a
+    <directive type="section">MatchNotAny</directive> directive.</note>
 </usage>
 
+<seealso><a href="#logic">Authorization Containers</a></seealso>
 <seealso><a href="../howto/auth.html">Authentication, Authorization,
     and Access Control</a></seealso> 
 
 </directivesynopsis>
 
 <directivesynopsis>
-<name>AuthzMergeRules</name>
-<description>Set to 'on' to allow the parent's &lt;Directory&gt; or &lt;Location&gt; 
-authz rules to be merged into the current &lt;Directory&gt; or &lt;Location&gt;.  
-Set to 'off' to disable merging. If set to 'off', only the authz rules defined in 
-the current &lt;Directory&gt; or &lt;Location&gt; block will apply.</description>
-<syntax>AuthzMergeRules on | off</syntax>
-<default>AuthzMergeRules on</default>
+<name>MergeAuthz</name>
+<description>Controls the manner in which each configuration section's
+authorization logic is combined with that of preceding configuration
+sections.</description>
+<syntax>MergeAuthz Off | MatchAll | MatchAny</syntax>
+<default>MergeAuthz Off</default>
 <contextlist><context>directory</context><context>.htaccess</context>
 </contextlist>
 <override>AuthConfig</override>
 
 <usage>
-    <p>By default all of the authorization rules within a &lt;Directory&gt;
-    &lt;Location&gt; hierarchy are merged together to form a single 
-    logical authorization operation.  If AuthzMergeRules is set to 'off', then
-    only the authorization rules that are contained with the current 
-    &lt;Directory&gt; or &lt;Location&gt; block are considered. This
-    allows the configuration to determine exactly how authorization will
-    be determined without having to take into consideration the 
-    authorization rules that may exist above it.</p>
+    <p>When authorization is enabled, it is normally inherited by each
+    subsequent <a href="../sections.html#mergin">configuration section</a>,
+    unless a different set of authorization directives are specified.
+    This is the default action, which corresponds to an explicit setting
+    of <code>MergeAuthz Off</code>.</p>
+
+    <p>However, there may be circumstances in which is it desirable
+    for a configuration section's authorization to be combined with
+    that of its predecessor while configuration sections are being
+    merged.  Two options are available for this case, <code>MatchAll</code>
+    and <code>MatchAny</code>.</p>
+
+    <p>When a configuration section contains <code>AuthzMerge MatchAll</code>
+    or <code>AuthzMerge MatchAny</code>,
+    its authorization logic is combined with that of the nearest
+    predecessor (according to the overall order of configuration sections)
+    which also contains authorization logic as if the two sections
+    were jointly contained within a
+    <directive module="mod_authz_core" type="section">MatchAll</directive> or
+    <directive module="mod_authz_core" type="section">MatchAny</directive>
+    directive, respectively.</p>
+
+    <note>The setting of <directive>AuthzMerge</directive> is not
+    inherited outside of the configuration section in which it appears.
+    In the following example, only users belonging to group <code>alpha</code>
+    may access <code>/www/docs</code>.  Users belonging to either
+    groups <code>alpha</code> or <code>beta</code> may access
+    <code>/www/docs/ab</code>.  However, the default <code>Off</code>
+    setting of <directive>AuthzMerge</directive> applies to the
+    <directive type="section" module="core">Directory</directive>
+    configuration section for <code>/www/docs/ab/gamma</code>, so
+    that section's authorization directives override those of the
+    preceding sections.  Thus only users belong to the group
+    <code>gamma</code> may access <code>/www/docs/ab/gamma</code>.</note>
+
+    <example>
+        &lt;Directory /www/docs&gt;
+        <indent>
+            AuthType Basic<br />
+            AuthName Documents<br />
+            AuthBasicProvider file<br />
+            AuthUserFile /usr/local/apache/passwd/passwords<br />
+            Match group alpha
+        </indent>
+        &lt;/Directory&gt;<br />
+        <br />
+        &lt;Directory /www/docs/ab&gt;
+        <indent>
+            AuthzMerge MatchAny<br />
+            Match group beta
+        </indent>
+        &lt;/Directory&gt;<br />
+        <br />
+        &lt;Directory /www/docs/ab/gamma&gt;
+        <indent>
+            Match group gamma
+        </indent>
+        &lt;/Directory&gt;
+    </example>
 </usage>
 
 </directivesynopsis>
 
 <directivesynopsis type="section">
-<name>RequireAlias</name>
+<name>AuthzProviderAlias</name>
 <description>Enclose a group of directives that represent an
 extension of a base authorization provider and referenced by the specified
 alias</description>
-<syntax>&lt;RequireAlias <var>baseProvider Alias Require-Parameters</var>&gt; 
-... &lt;/RequireAlias&gt;
+<syntax>&lt;AuthzProviderAlias <var>baseProvider Alias Require-Parameters</var>&gt; 
+... &lt;/AuthzProviderAlias&gt;
 </syntax>
 <contextlist><context>server config</context>
 </contextlist>
 
 <usage>
-    <p><directive type="section">RequireAlias</directive> and
-    <code>&lt;/RequireAlias&gt;</code> are used to enclose a group of
+    <p><directive type="section">AuthzProviderAlias</directive> and
+    <code>&lt;/AuthzProviderAlias&gt;</code> are used to enclose a group of
     authorization directives that can be referenced by the alias name using the
-    directive <directive module="mod_authz_core"> Require</directive>.</p>
+    directive <directive module="mod_authz_core">Require</directive>.</p>
 
 </usage>
 </directivesynopsis>

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml?rev=709841&r1=709840&r2=709841&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml Sat Nov  1 21:28:02 2008
@@ -47,9 +47,6 @@
 
 <seealso><directive module="mod_authz_core">Require</directive></seealso>
 <seealso>
-  <directive module="mod_authz_core">AuthzMergeRules</directive>
-</seealso>
-<seealso>
   <directive module="mod_authn_dbd">AuthDBDUserPWQuery</directive>
 </seealso>
 <seealso><directive module="mod_dbd">DBDriver</directive></seealso>
@@ -106,7 +103,6 @@
     "SELECT password FROM authn WHERE user = %s AND login = 'true'"
 
   # mod_authz_core configuration for mod_authz_dbd
-  AuthzMergeRules Off
   Require dbd-group team
 
   # mod_authz_dbd configuration
@@ -123,7 +119,6 @@
       "SELECT password FROM authn WHERE user = %s"
 
     # dbd-login action executes a statement to log user in
-    AuthzMergeRules Off
     Require dbd-login
     AuthzDBDQuery \
       "UPDATE authn SET login = 'true' WHERE user = %s"
@@ -135,7 +130,6 @@
 
   &lt;Files logout.html&gt;
     # dbd-logout action executes a statement to log user out
-    AuthzMergeRules Off
     Require dbd-logout
     AuthzDBDQuery \
       "UPDATE authn SET login = 'false' WHERE user = %s"

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml?rev=709841&r1=709840&r2=709841&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml Sat Nov  1 21:28:02 2008
@@ -33,7 +33,7 @@
 <summary>
     <p>The authorization providers implemented by <module>mod_authz_host</module> are
     registered using the <directive module="mod_authz_core">Require</directive> or
-    <directive module="mod_authz_core">Reject</directive> directives.  These 
+    <directive module="mod_authz_core">Match</directive> directives.  These 
     directives can be referenced within a 
     <directive module="core" type="section">Directory</directive>,
     <directive module="core" type="section">Files</directive>, 
@@ -55,12 +55,12 @@
 <seealso><a href="../howto/auth.html">Authentication, Authorization,
     and Access Control</a></seealso> 
 <seealso><directive module="mod_authz_core">Require</directive></seealso>
-<seealso><directive module="mod_authz_core">Reject</directive></seealso>
+<seealso><directive module="mod_authz_core">Match</directive></seealso>
 
 <section id="requiredirectives"><title>The Require Directives</title>
 
     <p>Apache's <directive module="mod_authz_core">Require</directive> and 
-    <directive module="mod_authz_core">Reject</directive> directives are 
+    <directive module="mod_authz_core">Match</directive> directives are 
     used during the authorization phase to ensure that a user is allowed or
     denied access to a resource.  mod_authz_host extends the 
     authorization types with <code>env</code>, <code>ip</code>, 

Modified: httpd/httpd/trunk/docs/manual/new_features_2_4.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/new_features_2_4.xml?rev=709841&r1=709840&r2=709841&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/new_features_2_4.xml (original)
+++ httpd/httpd/trunk/docs/manual/new_features_2_4.xml Sat Nov  1 21:28:02 2008
@@ -64,11 +64,22 @@
           console.  The user can thus be alerted to misconfiguration problems
           before the core <code>open_logs</code> hook function redirects
           console output to the error log.</dd>
-    <dt>Expression Parser Added</dt>
-    <dd>We now have a general-purpose expression parser, whose API is
-        exposed in <var>ap_expr.h</var>.  This is adapted from the
-        expression parser previously implemented in
-        <module>mod_include</module>.</dd>
+
+      <dt>Expression Parser Added</dt>
+
+      <dd>We now have a general-purpose expression parser, whose API is
+          exposed in <var>ap_expr.h</var>.  This is adapted from the
+          expression parser previously implemented in
+          <module>mod_include</module>.</dd>
+
+      <dt>Authorization Logic Containers</dt>
+
+      <dd>Advanced authorization logic may now be specified using the
+          <directive module="mod_authz_core">Match</directive> directive
+          and the related container directives, such as
+          <directive module="mod_authz_core"
+          type="section">MatchAll</directive>, all
+          provided by the <module>mod_authz_core</module> module.</dd>
     </dl>
   </section>
 </manualpage>



Mime
View raw message