httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Candler <>
Subject Re: proposed authz rewrite (was:Re: Suggest renaming mod_authz_host to mod_access_host)
Date Sun, 27 Nov 2005 21:29:40 GMT
On Sat, Nov 26, 2005 at 10:56:23AM -0700, Brad Nicholes wrote:
>    Speaking of authz rewrite, currently the directives 'authtype',
> 'authname' and 'require' are all implemented in the core module.  This
> just doesn't seem like the right place for them so I am considering
> moving the directives to mod_authz_host.

Just a thought (sorry if this has been suggested before): perhaps you could
borrow some ideas from PAM. In PAM, each authentication module takes a turn,
and its results can be marked as "sufficient" or "required". Using this
model, "Satisfy All" could be

Require valid-user required
Allow from 192.168.1 required

whilst "Satisfy Any" could be

Require valid-user sufficient
Allow from 192.168.1 sufficient
Deny from all

although the choice of keywords could be made a lot clearer,especially
"require .. required"! IMO, "require..." and "allow..." are really just
'authorise by user' and 'authorise by host ip' respectively, so two cases of
more or less the same thing.

Also, I don't see why a single authorisation module couldn't be invoked more
than once:

Allow from 192.168.1 sufficient
Allow from 192.168.4 sufficient
Deny from 192.168 sufficient
Allow from all

would mean "deny from all 192.168 addresses except 192.168.1 and 192.168.4".

A formulation like the above is something that I personally would find a lot
easier to understand than the "order allow,deny" or "order deny,allow" stuff
required now, which I have to look up *every* time I use it to make sure I
get it the right way round :-)

Another model to look at would be Exim ACLs. Essentially, each ACL condition
can give an accept (2xx), reject (5xx) or defer (4xx) response. Then you
build up ACLs such as

accept   condition1

(if all of condition1, condition2 and condition3 are true then the ACL
terminates with an 'accept' condition. If any defer, then the ACL defers.
Otherwise continue to the next ACL entry)

reject   condition1

(if both of condition1 and condition2 are true then the ACL terminates with
a 'reject' condition)


View raw message