httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <>
Subject Re: svn commit: r427780 - in /httpd/httpd/trunk: docs/manual/mod/mod_authz_core.xml modules/aaa/mod_
Date Wed, 02 Aug 2006 21:39:53 GMT

On 08/02/2006 11:00 PM, Brad Nicholes wrote:

> No, the default is to merge authz rules.  At least that is how I understood access control
to be working by default in the past.  There was no concept of inherited authz before 2.3.
 Also, Joshua pointed out a flaw in my thinking which I am looking into now.

My bad I did not cite it correctly. I was not talking about the default, but the fact that
on and off is explained
differently in different sections (at least to my understanding):

+Set to 'off' to disable merging. If set to 'off', only the authz rules defined in
+the current &lt;Directory&gt; or &lt;Location&gt; block will apply.</description>
+<syntax>AuthMergeRules on | off</syntax>
+<default>AuthMergeRules on</default>
+    <p>By default all of the authorization rules within a &lt;Directory&gt;
+    &lt;Location&gt; hierarchy are merged together to form a single
+    logical authorization operation.  If AuthzMergeRules is set to 'on', then
+    only the authorization rules that are contained with the current
+    &lt;Directory&gt; or &lt;Location&gt; block are considered. This

First 'off' is said to prevent merging (which makes sense), but later on 'on' is
said to do just that.



View raw message