Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 00189100B4 for ; Tue, 30 Jul 2013 23:18:56 +0000 (UTC) Received: (qmail 52303 invoked by uid 500); 30 Jul 2013 23:18:56 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 52192 invoked by uid 500); 30 Jul 2013 23:18:55 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 52184 invoked by uid 99); 30 Jul 2013 23:18:55 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Jul 2013 23:18:55 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE X-Spam-Check-By: apache.org Received-SPF: error (nike.apache.org: local policy) Received: from [69.168.97.78] (HELO smtp.rcn.com) (69.168.97.78) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Jul 2013 23:18:47 +0000 X_CMAE_Category: 0,0 Undefined,Undefined X-CNFS-Analysis: v=2.1 cv=ANp1G3FL c=1 sm=0 tr=0 a=GS/m0tZvCSHFipQJINqAXA==:117 a=_qQbbi1-GVgA:10 a=YNqtyO0l_hcA:10 a=LaogzpLLAAAA:8 a=93kGJHFphmwA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=9iDbn-4jx3cA:10 a=cKsnjEOsciEA:10 a=3IJUGfofGD8ZABQ-74QA:9 a=wPNLvfGTeEIA:10 a=nd40qWsYZ_kLV_i-JhsA:9 a=VEG4rmnTN2TQFBL-:21 a=_W_S_7VecoQA:10 X-CM-Score: 0 X-Scanned-by: Cloudmark Authority Engine Authentication-Results: smtp02.rcn.cmh.synacor.com smtp.mail=mi+thun@aldan.algebra.com; spf=neutral; sender-id=neutral Authentication-Results: smtp02.rcn.cmh.synacor.com header.from=mi+thun@aldan.algebra.com; sender-id=neutral Authentication-Results: smtp02.rcn.cmh.synacor.com smtp.user=anat; auth=pass (PLAIN) Received-SPF: neutral (smtp02.rcn.cmh.synacor.com: 96.242.221.197 is neither permitted nor denied by domain of aldan.algebra.com) Received: from [96.242.221.197] ([96.242.221.197:25218] helo=[192.168.1.8]) by smtp.rcn.com (envelope-from ) (ecelerity 2.2.3.49 r(42060/42061)) with ESMTPA id 9C/03-14489-BA948F15; Tue, 30 Jul 2013 19:18:04 -0400 Message-ID: <51F849AB.8050900@aldan.algebra.com> Date: Tue, 30 Jul 2013 19:18:03 -0400 From: "Mikhail T." User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130209 Thunderbird/17.0.2 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Struggling with AuthMerging Content-Type: multipart/alternative; boundary="------------060407030503020209020406" X-Virus-Checked: Checked by ClamAV on apache.org This is a multi-part message in MIME format. --------------060407030503020209020406 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hello! I realize, configurations questions aren't meant for this list, but I'm beginning to suspect a bug... Here is the configuration: AuthType form AuthFormProvider tiv Session On SessionCookieName ti2f Include conf/sessionpw.conf AuthName TI Require tiv ipaddress Require tiv expiration AuthMerging Or Require all granted DirectoryIndex index.php The idea is, the entire site is protected by our special authn/authz module we wrote (named "tiv"), except for a subdirectory /tiv, which everybody is supposed to be able to access without questions. Unfortunately, access to /tiv is denied as well. This is, what to authz_core:debug lists for each hit: authorization result of Require all granted: granted authorization result of : granted authorization result of AuthMerging Any: granted authorization result of Require all granted: granted authorization result of : granted authorization result of AuthMerging Any: granted authorization result of Require tiv ipaddress: denied (no authenticated user yet) authorization result of Require tiv expiration: denied (no authenticated user yet) authorization result of : denied (no authenticated user yet) authorization result of : denied (no authenticated user yet) What makes me think, there is a bug: 1. The "Require all granted: granted" and "AuthMerging Any: granted" are mentioned multiple times -- instead of once per hit. 2. AuthMerging settings -- and I tried all legal values (Off, And, Or) -- does not seem to have an effect, I'm denied access to /tiv no matter what. 3. RequireAll -- from Location / -- is examined at all, despite Location /tiv declaring "AuthMerging Or" (tried all values, actually, just in case). 4. "Require tiv expiration" is tested, even though its AND-connected sibling "Require tiv ipaddress" has already failed. How can I grant open access to a subdirectory (sublocation), while keeping the rest of the server locked-up? Thanks! -mi --------------060407030503020209020406 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hello!

I realize, configurations questions aren't meant for this list, but I'm beginning to suspect a bug...

Here is the configuration:

<Location /> AuthType form AuthFormProvider tiv Session On SessionCookieName ti2f Include conf/sessionpw.conf AuthName TI <RequireAll> Require tiv ipaddress Require tiv expiration </RequireAll> </Location> <Location /tiv> AuthMerging Or Require all granted DirectoryIndex index.php </Location>

The idea is, the entire site is protected by our special authn/authz module we wrote (named "tiv"), except for a subdirectory /tiv, which everybody is supposed to be able to access without questions.

Unfortunately, access to /tiv is denied as well. This is, what to authz_core:debug lists for each hit:

authorization result of Require all granted: grantedauthorization result of <RequireAny>: grantedauthorization result of AuthMerging Any: grantedauthorization result of Require all granted: grantedauthorization result of <RequireAny>: grantedauthorization result of AuthMerging Any: grantedauthorization result of Require tiv ipaddress: denied (no authenticated user yet)authorization result of Require tiv expiration: denied (no authenticated user yet)authorization result of <RequireAll>: denied (no authenticated user yet)authorization result of <RequireAny>: denied (no authenticated user yet)

What makes me think, there is a bug:

The "Require all granted: granted" and "AuthMerging Any: granted" are mentioned multiple times -- instead of once per hit.
AuthMerging settings -- and I tried all legal values (Off, And, Or) -- does not seem to have an effect, I'm denied access to /tiv no matter what.
RequireAll -- from Location / -- is examined at all, despite Location /tiv declaring "AuthMerging Or" (tried all values, actually, just in case).
"Require tiv expiration" is tested, even though its AND-connected sibling "Require tiv ipaddress" has already failed.

How can I grant open access to a subdirectory (sublocation), while keeping the rest of the server locked-up? Thanks!

-mi

--------------060407030503020209020406--