httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject RE: Dropped: [inq] short, concise, and to the point
Date Wed, 04 Oct 2000 17:36:22 GMT
My issue with mod_dav's example security, 

<Location />
    <LimitExcept GET HEAD POST OPTIONS>
        require something
    </LimitExcept>
</Location>

is that it suggests to the user that the existing limits would
hold on the <Directory > block, plus new restrictions on everything
except GET HEAD POST OPTIONS.  But if GET was protected by:

<Directory />
    require somethingelse
</Directory>

that require is wiped out by the <Location /> protection above

It also suggests that 

<Location /private>
    require valid-user
</Location>

will always protect %docroot%/private.  That isn't necessarily so.

I agree with you, Greg, that <Location >s are clear, and <Directory >s
are fuzzy/tricky.  But that's appearance, in practice it's the other
way around.

The right solution, imho, is to use <Location > as the mount point
of the file system to the URL space.  DocumentRoot, Alias and ScriptAlias
all become simple wrappers around the more complete <Location >.
But that's too heavy for me to finish thinking through today :-)

Bill




Mime
View raw message