httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: svn commit: r964156 - in /httpd/httpd/trunk: docs/manual/developer/ include/ modules/aaa/ server/
Date Thu, 15 Jul 2010 22:00:55 GMT
On Thursday 15 July 2010, Ruediger Pluem wrote:
> On 07/14/2010 09:59 PM, sf@apache.org wrote:
> > Author: sf
> > Date: Wed Jul 14 19:59:31 2010
> > New Revision: 964156
> > 
> > URL: http://svn.apache.org/viewvc?rev=964156&view=rev
> > Log:
> > The approach for allowing authorization by user or IP introduced
> > in r956387, etc. causes problems because the authentication
> > module calls note_*_auth_failure if authentication fails. This
> > is inappropriate if access is later allowed because of the IP.
> > 
> > So, instead of calling the auth_checker hook even if
> > authentication failed, we introduce a new access_checker_ex hook
> > that runs between the access_checker and the check_user_id
> > hooks. If an access_checker_ex functions returns OK, the request
> > will be allowed without authentication.
> > 
> > To make use of this, change mod_authz_core to walk the require
> > blocks in the access_checker_ex phase and deny/allow the request
> > if the authz result does not depend on an authenticated user. To
> > distinguish a real AUTHZ_DENIED from an authz provider from an
> > authz provider needing an authenticated user, the latter must
> > return the new AUTHZ_DENIED_NO_USER code.
> > 
> > Modified:
> >     httpd/httpd/trunk/docs/manual/developer/new_api_2_4.xml
> >     httpd/httpd/trunk/include/ap_mmn.h
> >     httpd/httpd/trunk/include/http_request.h
> >     httpd/httpd/trunk/include/mod_auth.h
> >     httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
> >     httpd/httpd/trunk/modules/aaa/mod_authz_core.c
> >     httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c
> >     httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c
> >     httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c
> >     httpd/httpd/trunk/modules/aaa/mod_authz_host.c
> >     httpd/httpd/trunk/modules/aaa/mod_authz_owner.c
> >     httpd/httpd/trunk/modules/aaa/mod_authz_user.c
> >     httpd/httpd/trunk/server/request.c
> > 
> > Modified: httpd/httpd/trunk/modules/aaa/mod_authz_host.c
> > URL:
> > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_a
> > uthz_host.c?rev=964156&r1=964155&r2=964156&view=diff
> > ================================================================
> > ============== --- httpd/httpd/trunk/modules/aaa/mod_authz_host.c
> > (original) +++ httpd/httpd/trunk/modules/aaa/mod_authz_host.c
> > Wed Jul 14 19:59:31 2010 @@ -104,7 +104,7 @@ static authz_status
> > env_check_authorizat
> > 
> >          }
> >      
> >      }
> > 
> > -    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> > +    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> 
> Why changing to debug?
> 
> >                    "access to %s failed, reason: env variable
> >                    list does not meet " "'require'ments for user
> >                    '%s' to be allowed access", r->uri, r->user);
> > 
> > @@ -162,7 +162,7 @@ static authz_status ip_check_authorizati
> > 
> >          }
> >      
> >      }
> > 
> > -    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> > +    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> > 
> >                    "access to %s failed, reason: ip address list
> >                    does not meet " "'require'ments for user '%s'
> >                    to be allowed access", r->uri, r->user);
> 
> Why changing to debug?
> 
> > @@ -197,7 +197,7 @@ static authz_status host_check_authoriza
> > 
> >              }
> >          
> >          }
> > 
> > -        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> > +        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> > 
> >                        "access to %s failed, reason: host name
> >                        list does not meet " "'require'ments for
> >                        user '%s' to be allowed access", r->uri,
> >                        r->user);
> 
> Why changing to debug?

Because it's way too verbose in configurations where several Require 
directives are in a <RequireAny> block. In this case every Require 
that does not match would produce an ERROR-level log message, even if 
the request is finally allowed by a later Require directive. I would 
be ok with level INFO, too, but like DEBUG better. And people who need 
the info can still set "Loglevel authz_core:debug".

Mime
View raw message