Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id ED3ED10240 for ; Sat, 3 Aug 2013 20:21:02 +0000 (UTC) Received: (qmail 92473 invoked by uid 500); 3 Aug 2013 20:21:02 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 92403 invoked by uid 500); 3 Aug 2013 20:21:02 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 92388 invoked by uid 99); 3 Aug 2013 20:21:02 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 Aug 2013 20:21:02 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE X-Spam-Check-By: apache.org Received-SPF: error (athena.apache.org: local policy) Received: from [69.168.97.78] (HELO smtp.rcn.com) (69.168.97.78) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 Aug 2013 20:20:56 +0000 X_CMAE_Category: 0,0 Undefined,Undefined X-CNFS-Analysis: v=2.1 cv=ANp1G3FL c=1 sm=0 tr=0 a=GS/m0tZvCSHFipQJINqAXA==:117 a=_qQbbi1-GVgA:10 a=yac4uheJ8tYA:10 a=YNqtyO0l_hcA:10 a=LaogzpLLAAAA:8 a=tt10PT6k82wA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=9iDbn-4jx3cA:10 a=cKsnjEOsciEA:10 a=pGLkceISAAAA:8 a=RwBXvwYpEXWc21B2ItYA:9 a=wPNLvfGTeEIA:10 a=qRLRV94jhhO5spIK4hcA:9 a=9asrU_Ss6eA-Ru-n:21 a=_W_S_7VecoQA:10 X-CM-Score: 0 X-Scanned-by: Cloudmark Authority Engine Authentication-Results: smtp02.rcn.cmh.synacor.com smtp.mail=mi+thun@aldan.algebra.com; spf=neutral; sender-id=neutral Authentication-Results: smtp02.rcn.cmh.synacor.com header.from=mi+thun@aldan.algebra.com; sender-id=neutral Authentication-Results: smtp02.rcn.cmh.synacor.com smtp.user=anat; auth=pass (PLAIN) Received-SPF: neutral (smtp02.rcn.cmh.synacor.com: 96.242.221.197 is neither permitted nor denied by domain of aldan.algebra.com) Received: from [96.242.221.197] ([96.242.221.197:50652] helo=[192.168.1.8]) by smtp.rcn.com (envelope-from ) (ecelerity 2.2.3.49 r(42060/42061)) with ESMTPA id 46/35-14489-DF56DF15; Sat, 03 Aug 2013 16:20:13 -0400 Message-ID: <51FD65FD.9010205@aldan.algebra.com> Date: Sat, 03 Aug 2013 16:20:13 -0400 From: "Mikhail T." User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130209 Thunderbird/17.0.2 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Resolved (sort of): Struggling with AuthMerging References: <51F849AB.8050900@aldan.algebra.com> <51FB11A8.6010108@aldan.algebra.com> <51FB1F4C.8080005@aldan.algebra.com> <51FC77F9.7060108@aldan.algebra.com> <51FD40C3.9070606@aldan.algebra.com> <51FD4D43.1020401@aldan.algebra.com> In-Reply-To: Content-Type: multipart/alternative; boundary="------------000400080004070603050001" X-Virus-Checked: Checked by ClamAV on apache.org This is a multi-part message in MIME format. --------------000400080004070603050001 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit 03.08.2013 15:19, Eric Covener ???????(??): > I didn't interpret his response that way. Those are modules that will > create subrequests/internal redirects to new URIs that could have > separate authz applied to them from the original URI -- you can't > assume the server is any less interested in performing authz on them. Ben's examples -- given in CADkdwvRme0QObKdQVCjF+_h7St+CG8zDHhpnLXjup2V=KpQazQ@mail.gmail.com -- were mod_autoindex and mod_dav_svn. Both -- as far as I understood -- used additional authz-checks when generating the /body/ of the response. Not to decide, whether to authorize the request itself, but to decide, what exactly to send back after the authorization already succeeded. > The server can't tell the difference between that and > your mod_actions internal redirect to a new URI -- they need to be > checked. Then, perhaps, there should be a way for me to tell the server, that such a decision can be made for a particular Location (or Directory, or vhost). Yours, -mi --------------000400080004070603050001 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
03.08.2013 15:19, Eric Covener написав(ла):
I didn't interpret his response that way. Those are modules that will
create subrequests/internal redirects to new URIs that could have
separate authz applied to them from the original URI --  you can't
assume the server is any less interested in performing authz on them.
Ben's examples -- given in 
CADkdwvRme0QObKdQVCjF+_h7St+CG8zDHhpnLXjup2V=KpQazQ@mail.gmail.com
-- were mod_autoindex and mod_dav_svn. Both -- as far as I understood -- used additional authz-checks when generating the body of the response. Not to decide, whether to authorize the request itself, but to decide, what exactly to send back after the authorization already succeeded.

The server can't tell the difference between that and
your mod_actions internal redirect to a new URI -- they need to be
checked.
Then, perhaps, there should be a way for me to tell the server, that such a decision can be made for a particular Location (or Directory, or vhost).

Yours,
-mi
--------------000400080004070603050001--