Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4F31310FC3 for ; Sat, 3 Aug 2013 00:18:13 +0000 (UTC) Received: (qmail 72164 invoked by uid 500); 3 Aug 2013 00:18:12 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 71966 invoked by uid 500); 3 Aug 2013 00:18:11 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 71958 invoked by uid 99); 3 Aug 2013 00:18:11 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 Aug 2013 00:18:11 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of ben@reser.org designates 50.197.89.41 as permitted sender) Received: from [50.197.89.41] (HELO mail.brain.org) (50.197.89.41) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 Aug 2013 00:18:05 +0000 Received: from localhost (localhost [127.0.0.1]) by mail.brain.org (Postfix) with ESMTP id B55BE179E0FD for ; Fri, 2 Aug 2013 17:17:44 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at fornix.brain.org Received: from mail.brain.org ([127.0.0.1]) by localhost (fornix.brain.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1u5nkVLCWUZW for ; Fri, 2 Aug 2013 17:17:41 -0700 (PDT) Received: from mail-oa0-x230.google.com (mail-oa0-x230.google.com [IPv6:2607:f8b0:4003:c02::230]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.brain.org (Postfix) with ESMTPSA id 90FF8179E0F6 for ; Fri, 2 Aug 2013 17:17:41 -0700 (PDT) Received: by mail-oa0-f48.google.com with SMTP id o17so2603864oag.21 for ; Fri, 02 Aug 2013 17:17:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=/FZUelmo0ZJH7LsWUKq6A7uPinVv45r0pjAifGv7UbU=; b=LsgXccnhqziaW6a4iXcbMSfNitO6kPXSNt2YZfim1rBOoBtupDPSsbSHJie05Z3hMh o3bQunwHsjYhGwoI3bsjTgt6mlFbjZ0Gy8ASYcPSK3pFDjDNOFHk6TPNfvXOqxS21Aze rMxHGT4N/NSYiABBQN8EnG1T0e8E7InY58cvv2vL8yGjscv4sXSBw98SQWw9lNQO4A1O FoGm+CMJm0YU7la2xio/SchM3giYQqpWHKyX4nOhnJv5V25W+jLLQkXzE/JbJncmPCDu 9876N5iiVkshdJWcAKK3dgwsabNMLx0/iolEQZy6v7CUlZ1MhW9ift6oSTvNQI4r/JT+ K7CA== MIME-Version: 1.0 X-Received: by 10.60.115.231 with SMTP id jr7mr7194789oeb.16.1375489060451; Fri, 02 Aug 2013 17:17:40 -0700 (PDT) Received: by 10.60.102.202 with HTTP; Fri, 2 Aug 2013 17:17:40 -0700 (PDT) In-Reply-To: <51FB1F4C.8080005@aldan.algebra.com> References: <51F849AB.8050900@aldan.algebra.com> <51FB11A8.6010108@aldan.algebra.com> <51FB1F4C.8080005@aldan.algebra.com> Date: Fri, 2 Aug 2013 17:17:40 -0700 Message-ID: Subject: Re: Resolved (sort of): Struggling with AuthMerging From: Ben Reser To: dev Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Thu, Aug 1, 2013 at 7:54 PM, Mikhail T. wrot= e: > 01.08.2013 22:47, Ben Reser =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=B2(= =D0=BB=D0=B0): >> That's not a bug at all. In some cases it may be necessary for >> authorization to run for sub-requests. > > Could you give an example or two? Thanks, Sure. mod_autoindex automatically provides a directory listing of files under a path. However, by default it doesn't display any paths that you don't have access to, e.g. .htaccess. It does this by issuing subrequests for those other paths so that authz can run on them. (This behavior could be changed with IndexOptions ShowForbidden). mod_dav_svn. Numerous commands in SVN impact other paths than the URI (e.g. `svn list` which is similar to the autoindex case above, commiting a copy or move which touch two paths one of which is on in the URI but rather in the headers). mod_dav_svn issues sub requests for these other paths to find out if the actions are allowed on them. Because of the performance impact of this mod_dav_svn has the SVNPathAuthz directive to change this behavior. One of the possible values is short_circuit which causes mod_dav_svn to talk directly to mod_authz_svn rather than doing a subrequest. You might ask why don't we just do this by default? The reason being is if there are other authorization limits placed from other modules then they would no longer respected.