httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Re: AuthN only once per request instead once every subrequest
Date Fri, 18 Mar 2011 10:45:32 GMT

On 18 Mar 2011, at 10:22, PlagiaTUM wrote:

> Dear List!
> We are trying to use mod_autoindex on an access-restricted web server
> with lots of directories. Our AuthN is costly (we are using
> mod_auth_external). With ~ 700 directories, the generation of the index
> takes > 1 minute.
> With a little profiling we found out that authentication is done for
> every subrequest, of which mod_autoindex uses plenty.

You have two good solutions to that.  Either use the ShowForbidden
option to mod_autoindex, or use mod_authn_socache.

> There is some logic in ap_process_request_internal() that should
> optimize these out; however, it does not work for us. The comparison
> (r->main->per_dir_config == r->per_dir_config) never succeeds as
> ap_merge_per_dir_configs() always returns a new configuration vector.

It does if the configurations to r and r->main are not the same.

> Cf. request.c lines 145ff (inside of ap_process_request_internal()) and
> 466ff (ap_directory_walk()) and config.c lines 230ff
> (ap_merge_per_dir_configs()).
> Why is it necessary to re-authenticate within a subrequest?
> When the per_dir configuration has changed, AuthZ has of course to be
> rechecked. AuthN, on the other hand, could be taken from the parent
> request, where it already has been verified. What are we missing?

There's nothing to stop the subrequest running off an entirely different
AuthUserFile/equiv to the main request.

Nick Kew

Available for work, contract or permanent

View raw message