httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Authz directives
Date Tue, 09 Dec 2008 08:47:04 GMT
I am a little frustrated by the changes to authorization since 2.2.
I don't understand why they were needed in the first place, nor why
we need two different but equally incomprehensible ways to configure
the same things.

I totally understand the desire to make the implementation more
modular and to make a more sensible Satisfy logic, but I don't
understand the need for Match (as opposed to just extending Require)
and the odd changes in defaults (multiple Require defaults to
MatchAny semantics, but multiple Match defaults to MatchAll).

The relevant doc links are, for 2.2:

   http://httpd.apache.org/docs/2.2/howto/auth.html
   http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
   http://httpd.apache.org/docs/2.2/mod/core.html#require
   http://httpd.apache.org/docs/2.2/mod/core.html#satisfy

and for trunk:

   http://httpd.apache.org/docs/trunk/howto/auth.html
   http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html
   http://httpd.apache.org/docs/trunk/mod/mod_access_compat.html

I suggest that we do the following:

1) make the new directives self-documenting

    remove MatchNotAll (nobody needs this)

    s/MatchAny/RequireAny/ig;
    s/MatchAll/RequireAll/ig;
    s/MatchNotAny/RequireNone/ig;

    s/(MergeAuthz|AuthzMerge)/AuthMerging/ig;   (off | and | or)

2) move new Match functionality to Require

3) default for multiple Require* is RequireAny
    - implies that "Require" and "Require not" are only mixed when
      used within a RequireAll or RequireNone container.

In other words, we have one set of authorization directives with
Require being backward-compatible with old configs, and the authz
docs can tell one story of how to build more and more complex
configurations using the same directives.

Does that make sense to folks?  I don't have much experience with
the auth directives (never had much use for them at my sites), so
let me know if I've overlooked something.

....Roy

Mime
View raw message