httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeroen Massar" <>
Subject RE: Auth - what should happen
Date Thu, 11 Jul 2002 14:39:26 GMT [] wrote:

> Opinions - not on what happens to day in 1.3 but what should 
> happen in a
> perfect world:
> Given a config like this:
> 	<Directory /my/secrets>
> 	AuthType 	basic
> 	AuthName	Restricted area
> 	</Directory>
> What should happen ? Allowed in with, or without a password ? 
> What would users feel as most logical ?
They want it to be open probably, unless you got security
savvy types, they want it closed.
In order words: Default Policy Closed

If it doesn't serve content people will notice,
people will complain, people will fix.
If it by default serves content, it could be content that
people didn't want to serve at all.

> Then
> 	<Directory /my/secrets>
> 	AuthType 	basic
> 	AuthName	Restricted area
> 	<Limit POST>
> 		require valid-user
> 	</Limit>
> 	</Directory>
> Same here when using a GET. (Note - I've not even started with 'allow
> from' or 'satisfy any complexity).

Maybe introduce a "LimitPolicy Deny"
But we got "Order deny,allow" for that.
If we take into consideration that "Order" defaults to "deny,allow"
one would end up:
 - Allowing POST to valid-user.
 - Denying anything else.


View raw message