httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <>
Subject Re: Auth*Authoritative
Date Tue, 15 Nov 2005 22:32:25 GMT
--On November 15, 2005 4:12:44 PM -0500 Joshua Slive <> 

> Getting closer, but I'm still confused.
> The Auth*Provider directives make sense to me for choosing which
> mod_authn_* module will get a crack at doing authentication.  But there
> are two other ordering problems: mod_auth_basic versus mod_auth_digest
> and the mod_authz_* modules in the authorization phase.  It seems that
> these are where the Auth*Authoritative directives apply, and that there
> is no way (short of code editing) to do explicit ordering on these.  Is
> this correct?

So, for mod_auth_basic and mod_auth_digest, they will usually be exclusive 
- this is indicated by the AuthType directive.  So, the conflict there is 
likely to be minimal.  Even if both were specified, the browser/client 
won't usually present *both* Basic and Digest authentications in the same 

However, if an authentication module doesn't use the provider system (which 
is allowed in order to permit source-compatibility with 2.0 authentication 
modules), then then the Authoritative directives will control its 
interaction with mod_auth_basic/mod_auth_digest.

For Authoritzation, the problem is unchanged from previous versions of 
httpd.  You must rely upon Authoritative directives to properly order the 
authorization modules - until such time as someone goes and cleans them up 
too.  The ordering of mod_authz_* modules will usually be non-deterministic 
and subject to _HOOK_FIRST, _HOOK_MIDDLE, and _HOOK_LAST constants 
determined at compile-time.  When a module is in the same 'priority' class, 
then the 'predeccessor'/'successor' logic kicks in at module 
registration-time.  (This is why Nick wants to move some of our bundled in 
authorization modules to _HOOK_LAST.)

Hope this clarifies some.  -- justin

View raw message