httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Life is hard, and then you die." <>
Subject Re: module ordering in Configuration.tmpl
Date Thu, 12 Aug 1999 04:02:20 GMT

Roy T. Fielding wrote:
> >Hmmm:
> >> revision 1.120
> >> date: 1999/08/09 06:25:24;  author: fielding;  state: Exp;  lines: +13 -12
> >> Move mod_auth_digest to where it makes sense.  If there is a problem
> >> with the ordering here, then we should move all the auth modules and
> >> not just the latest one.
> >
> >Unfortunately there is a problem: mod_auth_digest must be listed
> >*before* libproxy because because the WWW-Authenticate and
> >Proxy-Authenticate headers are parsed in the post-read-request phase
> >and it needs to know if this is a proxy request or not. With the
> >current ordering, using Digest auth in a proxy setting will fail
> >miserably.
> >
> >Is there any problem with moving any other auth module up (i.e. have
> >them all do their processing *after* mod_proxy)?
> Wouldn't this equally apply to the other forms of authentication?

Not necessarily.

>    fix the ordering problem in Configuration, though I fear this may
>    be a case where the current ordering is needed for some hooks
>    but the reverse for post-read-request, and the real solution might
>    be to change the phase used by mod_auth_digest.

The reason that mod_auth_digest needs to do it's work in post-read-request
is that it needs to do nonce-count updating on *every* request, no matter
whether the request requires authentication, whether the resource
requested exists, etc. All other authentication modules don't have this
requirement, and hence can wait a bit (i.e. do the processing in a
later stage).

> BTW, dependencies like that MUST be included in the comments for
> Configuration, not left to trial and error.




View raw message