httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Darroch <>
Subject Re: walk caching to avoid extra authnz
Date Fri, 29 Dec 2006 22:53:20 GMT
Hi --

Chris Darroch wrote:

>    Much appreciated, but alas, Justin pointed out a serious conflict
> in mod_authz_svn, and more generally, various modules may exist out
> there that are also expecting authnz functions to be called for every
> sub-request that has a different URI/filepath.


>    This optimization in httpd would be possible if it could assume
> its config files contained a complete description of all the per-directory
> authnz configurations.  But, as noted in the SVN docs, some modules
> like mod_authz_svn may provide authnz functions that do per-directory
> discriminations based on data from outside the httpd config files.
> They can do this because of the way sub-request per_dir_config data
> is handled now.  Since there's no way for httpd to know about such
> external per-directory authnz discriminations, we can't add the walk
> cache optimizations as I first wrote them.
>    Maybe in 3.x they could be added this way, but I'd prefer to see
> them arrive a little sooner, if at all possible.  Thinking about it
> last night, what I thought might work is for httpd to assume that
> any module that provides authnz functions is by default "unsafe for
> walk cache optimization".  However, the majority -- maybe all -- of
> the authnz modules in the httpd distribution could explicitly set
> a flag which indicates that they're "safe".  If no modules are loaded
> that are unsafe, then the optimization could be done, otherwise the
> old behaviour would be the default.  Existing external modules would
> continue to work as before.

   I've revised my patch set for httpd trunk to do something like
what's described above; it's available at:

   Briefly, the walk cache changes I made earlier are still in place,
but sub-requests and internal redirects only share the initial
request's per_dir_config if ap_auth_initial_req_only() returns true.
Otherwise, they get their own private copy, as before.

   The new function ap_auth_initial_req_only() simply returns
the AND'ed value of two optional functions, one each for authn and
authz.  These functions return true or false depending on whether
any authn or authz providers were registered using the old "unsafe
for walk cache optimization" version code.  If none were -- as
should usually be the case for most installations -- then optimization
can proceed.

   The main trick here is that instead of the hard-coded version
string "0" for authn/z providers, AUTHN/Z_PROVIDER_VERSION_ALL_REQ and

   Also, instead of doing ap_lookup_provider() directly,
ap_authn_lookup_provider() and ap_authz_lookup_provider() should be
used instead.  These check first for a "better" INITIAL_REQ version,
then fall back to the ALL_REQ version.

   Based on a somewhat speedy evaluation, I don't see any authn/z
modules that would require the ALL_REQ version -- that is, anything
which works like mod_authz_svn, and discriminates between requests
on the basis of URLs (using configuration information other than the
normal httpd configuration directives).

   I won't check this in anytime soon, because I'd like to hear if
anyone can think of additional problems, or has issues with this
proposed solution.  Fire away!  Thanks,


GPG Key ID: 366A375B
GPG Key Fingerprint: 485E 5041 17E1 E2BB C263  E4DE C8E3 FA36 366A 375B

View raw message