httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From PlagiaTUM <plagia...@fs.tum.de>
Subject AuthN only once per request instead once every subrequest
Date Fri, 18 Mar 2011 10:22:27 GMT
Dear List!

We are trying to use mod_autoindex on an access-restricted web server
with lots of directories. Our AuthN is costly (we are using
mod_auth_external). With ~ 700 directories, the generation of the index
takes > 1 minute.

With a little profiling we found out that authentication is done for
every subrequest, of which mod_autoindex uses plenty.

There is some logic in ap_process_request_internal() that should
optimize these out; however, it does not work for us. The comparison
(r->main->per_dir_config == r->per_dir_config) never succeeds as
ap_merge_per_dir_configs() always returns a new configuration vector.

Cf. request.c lines 145ff (inside of ap_process_request_internal()) and
466ff (ap_directory_walk()) and config.c lines 230ff
(ap_merge_per_dir_configs()).

Why is it necessary to re-authenticate within a subrequest?
When the per_dir configuration has changed, AuthZ has of course to be
rechecked. AuthN, on the other hand, could be taken from the parent
request, where it already has been verified. What are we missing?

With the attached patch (against 2.2.17), the page generation is down to
one AuthN process (ca. 2 seconds overall) on our machine.
The patch is meant for communication purposes only, to illustrate what 
we are talking about. It is not intended to be a ready made solution to 
the problem we found. To make our changes stand out, we also forwent 
correct indentation.

We would have liked to include a check like ``if the user is the same as
in the parent request and it already has been AuthN'd'', but we don't
know the best way to do that.

A quick test with a .htaccess file showed that Access Restrictions are
still honored within a subrequest.

Thank you for your consideration and time!

PlagiaTUM

Mime
View raw message