httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: RequireAll: seems to evaluate require lines unnecessarily
Date Mon, 06 Aug 2012 17:05:19 GMT
On 06 Aug 2012, at 12:01 AM, Stefan Fritsch wrote:

> The API is currently such that an authz provider must return 
> AUTHZ_DENIED_NO_USER instead of AUTHZ_DENIED if its result may change 
> after authentication. Require expr in 2.4.2 does not do that. But it 
> will be fixed in 2.4.3 with
> 
> http://svn.apache.org/viewvc?view=revision&revision=1364266

I'm away for part of this week, I'll try this out when I get back.

My concern at the API is that it seems that some of the Require lines are AUTHN related, while
others are AUTHZ. In theory, if a single Require check fails AUTHN, it nullifies AUTHZ - you
cannot know if the AUTHZ would have succeeded or failed until AUTHN has occurred successfully.
This in turn means that if a line like "Require valid-user" fails, you can draw no conclusion
about any of the AUTHZ lines, they might have succeeded, they might have failed, impossible
to know with the information at hand.

Regards,
Graham
--


Mime
View raw message