httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <>
Subject Re: [PATCH]es - some thoughts about the auth modules
Date Sun, 08 Dec 2002 20:32:07 GMT
--On Sunday, December 8, 2002 3:16 PM +0100 André Malo <> 

> while cleaning up the 2.1 auth docs, some things bubbled up, that
> are worth  to patch, imho :) If all patches are applied, applying
> them in the  described order should work. But before a general
> question: What's the  reason, that Auth*Provider cannot be
> determined in .htaccess files? The worst case would be a 500,
> similar to the usage of AuthDBM* directives,  if no mod_authn_dbm
> is configured, so I see no problem in .htaccess-allowed  *Provider
> directives.

We did allow this before, right?  Yeah, I guess it might make sense 
to switch the directives to OR_LIMIT.  Patches?  =)

> - yesno.diff
> there is some confusion with "yes" and "no" and "on" and "off"...
> ;-) By the way: the AccessAuthoritative directive in
> mod_authz_default is  wrong-named, isn't it? I think, it should be
> AuthzDefaultAuthoritative. No patch for this, because trivial ;-)

Um, well, sure, I guess.

> - authoritative.diff:
> when asking the providers for authentication, the main loop should
> not only  break, if access is granted. It should also break, if
> access was *denied*  by one provider. To be safe, it has to break
> also, if an error occured. So  the patch turns the condition around
> and continues only, if the user was  not found.
> I find it also weird, that if auth was denied (by password
> usually), the  AuthBasicAuthoritative behaviour can override that
> by "passing to lower  modules". The patch changes that behaviour,
> too.

I'm kind of on the fence about that.  I was originally thinking 
optimistically, but yeah, it might make sense to do it 
pessimistically.  If there's any error, bug out.

> - null.diff:
> outch. there are some possible NULL pointer references. Have you
> ever tried  AuthDigestProvider dbm? This results in a great kaboom.
> The patch makes  apache throw an error, if someone tries a
> provider, that doesn't support  the particular auth scheme.

Yeah, this is what caught Fred a few weeks ago when he didn't have 
mod_authn_file installed.

> - anon2p.diff
> mod_authn_anon should be a provider, too, shouln't it? this patch
> resolves  that. That drops the Anonymous_Authoritative directive,
> of course. By the way, is now the time to give the anon directives
> a better face? ;-))

Haven't had a chance to look at this patch, but the rest of them look 
good.  +1.  (*mumble about not having time to commit anything right 
now*)  -- justin

View raw message