httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark J Cox <>
Subject Re: Exclusive .htaccess types (fwd)
Date Fri, 23 Feb 1996 08:43:24 GMT
> > This prevents the common situation of allowing everyone on a site access
> > to a directory and off-site users with the correct passwords.

This is what NCSA have allowed with their "Satisfy" directive.  The
example below says "If not from then get a password". 

<Limit GET PUT>
order deny,allow
deny from all
allow from
require group staff
satisfy any
(Using "satisfy all" would require a password and from

This can't be implemented nicely using the current API; you need to kludge
process_request_internal() in http_request.c

Actually I don't think the NCSA directives give enough information.  It
says "either allow from or ask for a password".  It's not
that obvious which order it is going to check them in by looking at the
access conf file.  The NCSA server does the password check second.
I'd prefer "satisfy access or auth".  

[Actually "satisfy auth or access" (ask for a password but don't
worry too much if we don't have a valid user and we are in
isn't going to work at all since the browser needs to see an initial
404 failure before it challenges for a password.]

Is this a one-off, or in the future will we get asked for more complex
schemes "allow from without a password, with a
password only, the rest with a password or anonymous login"? 

How about a "master" auth/access checker module that is used from
process_request_internal() which handles directives like "satisfy" and farms
out to access and authentication modules as required? 


View raw message