Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 27037 invoked from network); 13 Feb 2006 20:50:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 13 Feb 2006 20:50:14 -0000 Received: (qmail 73491 invoked by uid 500); 13 Feb 2006 20:50:10 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 73430 invoked by uid 500); 13 Feb 2006 20:50:09 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 73419 invoked by uid 99); 13 Feb 2006 20:50:09 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Feb 2006 12:50:09 -0800 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [137.65.81.172] (HELO lucius.provo.novell.com) (137.65.81.172) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Feb 2006 12:50:08 -0800 Received: from INET-PRV1-MTA by lucius.provo.novell.com with Novell_GroupWise; Mon, 13 Feb 2006 13:49:47 -0700 Message-Id: <43F08DAD.6720.00AC.0@novell.com> X-Mailer: Novell GroupWise Internet Agent 7.0 Date: Mon, 13 Feb 2006 13:49:34 -0700 From: "Brad Nicholes" To: , Subject: Re: Change in how to configure authorization References: <43D98870.3080004@holsman.net> <43ED36C3.4070807@jetnet.co.uk> <43F041FE.6720.00AC.0@novell.com> <20060213153940.GA3212@redhat.com> In-Reply-To: <20060213153940.GA3212@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 500/1000/N >>> On 2/13/2006 at 8:39:41 am, in message <20060213153940.GA3212@redhat.com>, jorton@redhat.com wrote: > On Mon, Feb 13, 2006 at 08:26:39AM -0700, Brad Nicholes wrote: >> Yes, we do need to make this change. With the provider based >> rearchitecting of authentication in httpd 2.2, this left authorization >> in an unpredictable state especially when using multiple authorization >> types. You were never quite sure which one was going to happen first >> and had no way to order them or control them. With that, there was >> also a growing demand to be able to apply AND/OR logic to the way in >> which authorization is applied. So basically this change brings >> authorization up to the same level of power and flexibility that >> currently exists in httpd 2.2 for authentication. Hence being new >> functionality, there are bound to be bugs that need to be fixed, >> especially with backwards compatibility. So let's get the bugs >> identified and fixed. > > Could you have a look at making the test suite pass again, to that end? > > I tried to port mod_authany (c-modules/authany/mod_authany.c) to the > trunk authz API, but to no avail. The tests which fail are: > > t/http11/basicauth..........# Failed test 2 in t/http11/basicauth.t at > line 24 > FAILED test 2 > Failed 1/3 tests, 66.67% okay > t/security/CVE-2004-0811....# Failed test 1 in > t/security/CVE-2004-0811.t at line 14 > # Failed test 2 in t/security/CVE-2004-0811.t at line 14 fail #2 > # Failed test 3 in t/security/CVE-2004-0811.t at line 14 fail #3 > # Failed test 4 in t/security/CVE-2004-0811.t at line 14 fail #4 > FAILED tests 1-4 > > jo The problem that I see with mod_anyuser is that it is trying to re-register the 'user' authorization provider. All of the authorization types must be unique. So in this case, the provider should probably be called 'any-user' or something like that. Then, according to the code, the whole thing looks a lot like 'valid-user'. Is there a reason why the test configuration doesn't just use 'valid-user'? Brad