httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: svn commit: r534533 - in /httpd/httpd/trunk: include/http_core.h modules/aaa/mod_access_compat.c modules/aaa/mod_auth.h modules/aaa/mod_authz_core.c modules/aaa/mod_authz_default.c server/core.c server/request.c
Date Wed, 02 May 2007 19:47:12 GMT
On 5/2/07, Brad Nicholes <BNICHOLES@novell.com> wrote:

>
> Yeah, that's where I mentioned that things might look a little confusing.  There actually
is a good reason to have both and yes some of the functionality can overlap.  The reason for
having mod_authz_host is so that host, IP, ENV, etc. can be used during authorization as well.
 This really wasn't as issue in 2.2 because the AND/OR/NOT logic didn't exist yet.  Now that
you can apply this type of logic to authorization, allowing host, IP, ENV, etc. to be part
of that, make sense.  If we moved mod_authz_host back to the 2.2 version, in the first place
it would no longer be authz but just mod_access again and you wouldn't be able to include
host, IP, ENV, etc. as part of an authorization rule.  But I agree that mod_access_compat
name no longer makes sense.
>

What kinds of configurations are we actually talking about where
Require ip could do things that Order/Allow/Satisfy could not? I guess
you are talking about things like
<SatisfyOne>
  <SatisfyAll>
    Require user john
    Require ip 192.0.0
  </SatisfyAll>
  <SatisfyAll>
    Require user bob
    Require ip 191.0.0
  </SatisfyAll>
</SatisfyOne>

Is that kind of configuration really common enough to justify the
added complexity of two different access-control systems? (It can be
accomplished in current versions using some Alias/Location hacks or
with mod_rewrite.)

My opinion is that either we get rid of Require ip or we fix the hook
ordering so that Order/Allow/Satisfy/etc can really be deprecated.

Joshua.

Mime
View raw message