httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@organic.com>
Subject Re: Satisfy Directive Support
Date Mon, 22 Jul 1996 17:46:24 GMT
On Sun, 21 Jul 1996, Robert S. Thau wrote:

>   Another patch. I'm voting yes on this _without_ the #ifdef ENABLE_SATISFY
> 
> Hmmm... I thought Satisfy in the NCSA server also had effect on the
> treatment of auth....

It does. See

http://hoohoo.ncsa.uiuc.edu/docs/howto/access_control.html

Basically, "satisfy any" allows any one of the specified "allow" or
"require" directives to control server access. This is difficult to pull
off in Apache directly, because allow and require are in seperate modules
(mod_access and mod_auth). Satisfy, then, has actually *two* functions in
NCSA, as Apache sees it: it allows either the access check or an auth
check to pass, not both. It also does what the patch in question allows,
namely allowing only one of a "require" line to match.

My suggestion would be to make "satisfy" a core command, with a satify()
function to get the result. Then call it from the various
process_request  functions, and if it's "any", allow a failed
check_access() to continue if there's also auth stuff. Then modify
mod_access (as this patch does) and mod_auth (which this patch doesn't) to
also call satisfy() and only match one "require" line instead of all of
'em. This last part might be tricky, given all the hand-waving that the
mod_auth modules do to allow you to mix and match users and groups of
different types.

So this patch only fulfills 1/3 of the NCSA Satisfy directive. I think
that if we're going to have a directive of the same name, it should have
the same function. No? Otherwise, we should call it something different.

-- Alexei Kosut <akosut@organic.com>            The Apache HTTP Server 
   http://www.nueva.pvt.k12.ca.us/~akosut/      http://www.apache.org/



Mime
View raw message