httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <>
Subject Re: svn commit: r534533 - in /httpd/httpd/trunk: include/http_core.h modules/aaa/mod_access_compat.c modules/aaa/mod_auth.h modules/aaa/mod_authz_core.c modules/aaa/mod_authz_default.c server/core.c server/request.c
Date Wed, 02 May 2007 22:46:47 GMT
>>> On 5/2/2007 at 1:47 PM, in message
<>, "Joshua Slive"
<> wrote:
> On 5/2/07, Brad Nicholes <> wrote:
>> Yeah, that's where I mentioned that things might look a little confusing.  
> There actually is a good reason to have both and yes some of the 
> functionality can overlap.  The reason for having mod_authz_host is so that 
> host, IP, ENV, etc. can be used during authorization as well.  This really 
> wasn't as issue in 2.2 because the AND/OR/NOT logic didn't exist yet.  Now 
> that you can apply this type of logic to authorization, allowing host, IP, 
> ENV, etc. to be part of that, make sense.  If we moved mod_authz_host back to 
> the 2.2 version, in the first place it would no longer be authz but just 
> mod_access again and you wouldn't be able to include host, IP, ENV, etc. as 
> part of an authorization rule.  But I agree that mod_access_compat name no 
> longer makes sense.
> What kinds of configurations are we actually talking about where
> Require ip could do things that Order/Allow/Satisfy could not? I guess
> you are talking about things like
> <SatisfyOne>
>   <SatisfyAll>
>     Require user john
>     Require ip 192.0.0
>   </SatisfyAll>
>   <SatisfyAll>
>     Require user bob
>     Require ip 191.0.0
>   </SatisfyAll>
> </SatisfyOne>
> Is that kind of configuration really common enough to justify the
> added complexity of two different access-control systems? (It can be
> accomplished in current versions using some Alias/Location hacks or
> with mod_rewrite.)
> My opinion is that either we get rid of Require ip or we fix the hook
> ordering so that Order/Allow/Satisfy/etc can really be deprecated.
> Joshua.

Correct, except I am thinking something more like:

      Require user john
          Require ip 192.0.0
          Require ip 137.65.0
          Require host
     Require group admins
          Require ip
          Require ldap-attribute status="highest"

Which may be a bit more complicated to try to duplicate using other means.  Besides, it seems
to be a lot more straight forward to keep all of the authorization logic in one place rather
than bits and pieces spread out in mod_rewrite rules or alias/location hacks.

I'm all for figuring out a way to rework the hooks so that Order/Allow/Satisfy/etc. can really
be deprecated.  That is what my original intention was.  However, after revisiting this issue,
I'm not sure how to do it yet.


View raw message