httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Darroch <>
Subject Re: 2.4 (Was: Re: Configuration Issues to Address [was Re: Dynamic configuration for the hackathon?])
Date Thu, 03 Apr 2008 17:28:24 GMT
William A. Rowe, Jr. wrote:

> I'd -1 a 2.4.0 release today, because nobody has even bothered to make
> a candidate for 2.3-dev.  Auth logic changes break most if not all third
> party auth modules (broke an auth feature in mod_ftp).  Not talking about
> commercial modules .... but every third party auth extension out there.

   I've been working with the 2.4 authn/z stuff a bit lately and
what I keep tripping over is that the default authorization merge rule
uses OR logic.  For example, if I enable mod_access_compat and
put in a traditional:

<Location /foo>
    Order deny,allow
    Deny from all

it doesn't take effect, because the default top-level <Directory>
contains "Require all granted" and since that succeeds for all
requests, everything else is short-circuited by the OR merge logic.
So at a minimum I seem to have to put in an "AuthzMergeRules Off" to
get things to DWIM.

   I fear that might trip up a significant percentage of people
upgrading ... perhaps a "AuthzMergeRules Off" in the default httpd.conf
would be sufficient, but my experience with mod_authz_dbd suggested
that I needed to put it in a lot of places to get stuff working
the way I intended (e.g., the example config in the mod_authz_dbd
manual page in the trunk docs).


GPG Key ID: 366A375B
GPG Key Fingerprint: 485E 5041 17E1 E2BB C263  E4DE C8E3 FA36 366A 375B

View raw message