httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Reser <...@reser.org>
Subject Re: Resolved (sort of): Struggling with AuthMerging
Date Sat, 03 Aug 2013 00:17:40 GMT
On Thu, Aug 1, 2013 at 7:54 PM, Mikhail T. <mi+thun@aldan.algebra.com> wrote:
> 01.08.2013 22:47, Ben Reser написав(ла):
>> That's not a bug at all.  In some cases it may be necessary for
>> authorization to run for sub-requests.
>
> Could you give an example or two? Thanks,

Sure.

mod_autoindex automatically provides a directory listing of files
under a path.  However, by default it doesn't display any paths that
you don't have access to, e.g. .htaccess.  It does this by issuing
subrequests for those other paths so that authz can run on them.
(This behavior could be changed with IndexOptions ShowForbidden).

mod_dav_svn.  Numerous commands in SVN impact other paths than the URI
(e.g. `svn list` which is similar to the autoindex case above,
commiting a copy or move which touch two paths one of which is on in
the URI but rather in the headers).  mod_dav_svn issues sub requests
for these other paths to find out if the actions are allowed on them.
Because of the performance impact of this mod_dav_svn has the
SVNPathAuthz directive to change this behavior.  One of the possible
values is short_circuit which causes mod_dav_svn to talk directly to
mod_authz_svn rather than doing a subrequest.  You might ask why don't
we just do this by default?  The reason being is if there are other
authorization limits placed from other modules then they would no
longer respected.

Mime
View raw message