while cleaning up the 2.1 auth docs, some things bubbled up, that are worth
to patch, imho :) If all patches are applied, applying them in the
described order should work. But before a general question: What's the
reason, that Auth*Provider cannot be determined in .htaccess files?
The worst case would be a 500, similar to the usage of AuthDBM* directives,
if no mod_authn_dbm is configured, so I see no problem in .htaccess-allowed
*Provider directives.
- yesno.diff
there is some confusion with "yes" and "no" and "on" and "off"... ;-)
By the way: the AccessAuthoritative directive in mod_authz_default is
wrong-named, isn't it? I think, it should be AuthzDefaultAuthoritative.
No patch for this, because trivial ;-)
- authoritative.diff:
when asking the providers for authentication, the main loop should not only
break, if access is granted. It should also break, if access was *denied*
by one provider. To be safe, it has to break also, if an error occured. So
the patch turns the condition around and continues only, if the user was
not found.
I find it also weird, that if auth was denied (by password usually), the
AuthBasicAuthoritative behaviour can override that by "passing to lower
modules". The patch changes that behaviour, too.
- null.diff:
outch. there are some possible NULL pointer references. Have you ever tried
AuthDigestProvider dbm? This results in a great kaboom. The patch makes
apache throw an error, if someone tries a provider, that doesn't support
the particular auth scheme.
- anon2p.diff
mod_authn_anon should be a provider, too, shouln't it? this patch resolves
that. That drops the Anonymous_Authoritative directive, of course.
By the way, is now the time to give the anon directives a better face? ;-))
nd
--
>kann mir jemand sagen, was genau @-Domains sind?
Ein Mythos. Ein Werbetrick. Verarsche. Nenn es wie du willst...
-- Alexandra Buss und Björn Höhrmann in dciwam
|