httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark J Cox <m...@ukweb.com>
Subject Re: Exclusive .htaccess types (fwd)
Date Fri, 23 Feb 1996 08:43:24 GMT
> > This prevents the common situation of allowing everyone on a site access
> > to a directory and off-site users with the correct passwords.

This is what NCSA have allowed with their "Satisfy" directive.  The
example below says "If not from .ukweb.com then get a password". 

<Limit GET PUT>
order deny,allow
deny from all
allow from .ukweb.com
require group staff
satisfy any
</Limit>
(Using "satisfy all" would require a password and from .ukweb.com.)

This can't be implemented nicely using the current API; you need to kludge
process_request_internal() in http_request.c

Actually I don't think the NCSA directives give enough information.  It
says "either allow from .ukweb.com or ask for a password".  It's not
that obvious which order it is going to check them in by looking at the
access conf file.  The NCSA server does the password check second.
I'd prefer "satisfy access or auth".  

[Actually "satisfy auth or access" (ask for a password but don't
worry too much if we don't have a valid user and we are in .ukweb.com)
isn't going to work at all since the browser needs to see an initial
404 failure before it challenges for a password.]

Is this a one-off, or in the future will we get asked for more complex
schemes "allow from .ukweb.com without a password, .xyzzy.com with a
password only, the rest with a password or anonymous login"? 

How about a "master" auth/access checker module that is used from
process_request_internal() which handles directives like "satisfy" and farms
out to access and authentication modules as required? 

Mark


Mime
View raw message