httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: svn commit: r427780 - in /httpd/httpd/trunk: docs/manual/mod/mod_authz_core.xml modules/aaa/mod_
Date Wed, 02 Aug 2006 21:00:13 GMT
>>> On 8/2/2006 at 1:38 PM, in message <44D0FF24.80109@apache.org>, Ruediger
Pluem
<rpluem@apache.org> wrote:

> 
> On 08/02/2006 12:54 AM, bnicholes@apache.org wrote:
>> Author: bnicholes
>> Date: Tue Aug  1 15:54:38 2006
>> New Revision: 427780
>> 
>> URL: http://svn.apache.org/viewvc?rev=427780&view=rev 
>> Log:
>> Converted the reject directive to be definitive and enabled directory_merge 
> to merge all of the authorization rules and logic.
>> 
>> Modified:
>>     httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
>>     httpd/httpd/trunk/modules/aaa/mod_auth.h
>>     httpd/httpd/trunk/modules/aaa/mod_authz_core.c
>> 
>> Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
>> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_core 
> .xml?rev=427780&r1=427779&r2=427780&view=diff
>> 
> =============================================================================
> =
>> --- httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml (original)
>> +++ httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml Tue Aug  1 15:54:38 
> 2006
>> @@ -112,8 +112,8 @@
>>  
>>  <directivesynopsis>
>>  <name>Reject</name>
>> -<description>Rejects which authenticated users can access
>> -a resource</description>
>> +<description>Rejects authenticated users or host based 
>> +requests from accessing a resource</description>
>>  <syntax>Reject <var>entity-name</var> [<var>entity-name</var>]
...</syntax>
>>  <contextlist><context>directory</context><context>.htaccess</context>
>>  </contextlist>
>> @@ -122,10 +122,12 @@
>>  <usage>
>>      <p>This directive is similar to the 
>>      <directive module="mod_authz_core">Require</directive> directive
however
>> -    it rejects which authenticated users can access a resource.  The 
>> +    it rejects which authenticated users or host based requests from 
> accessing a resource.  The 
>>      restrictions are processed by authorization modules.  See the 
>>      <directive module="mod_authz_core">Require</directive> directive
for 
> details 
>> -    about usage.</p>
>> +    about usage.  If found as part of the authorization rules, the reject 
> directive
>> +    is definitive.  In other words, if the reject statements is satisfied, 
> the entire request
>> +    is automatically rejected no matter what other require rules may 
>exist.</p>
>>  </usage>
>>  
>>  <seealso><a href="../howto/auth.html">Authentication, Authorization,
>> @@ -220,6 +222,31 @@
>>  
>>  <seealso><a href="../howto/auth.html">Authentication, Authorization,
>>      and Access Control</a></seealso> 
>> +
>> +</directivesynopsis>
>> +
>> +<directivesynopsis type="section">
>> +<name>AuthzMergeRules</name>
>> +<description>Set to 'on' to allow the parent's &lt;Directory&gt; or

> &lt;Location&gt; 
>> +authz rules to be merged into the current &lt;Directory&gt; or 
> &lt;Location&gt;.  
>> +Set to 'off' to disable merging. If set to 'off', only the authz rules 
> defined in 
>> +the current &lt;Directory&gt; or &lt;Location&gt; block will apply.</description>
>> +<syntax>AuthMergeRules on | off</syntax>
>> +<default>AuthMergeRules on</default>
>> +<contextlist><context>directory</context><context>.htaccess</context>
>> +</contextlist>
>> +<override>AuthConfig</override>
>> +
>> +<usage>
>> +    <p>By default all of the authorization rules within a &lt;Directory&gt;
>> +    &lt;Location&gt; hierarchy are merged together to form a single 
>> +    logical authorization operation.  If AuthzMergeRules is set to 'on', 
> then
> 
> Shouldn't that be 'off' above?
> 
> Regards
> 
> RĂ¼dige

No, the default is to merge authz rules.  At least that is how I understood access control
to be working by default in the past.  There was no concept of inherited authz before 2.3.
 Also, Joshua pointed out a flaw in my thinking which I am looking into now.

Brad


Mime
View raw message