httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <>
Subject Re: Significance of evaluation order?
Date Wed, 08 Nov 2006 15:44:37 GMT
On 11/8/06, Chris Pepper <> wrote:
> At 9:40 AM -0500 2006/11/08, Joshua Slive wrote:
> >On 11/4/06, Chris Pepper <> wrote:
> >
> >>Note that Allow and Deny directives are processed <strong>in
> >>ascending order</strong>, unlike a typical firewall, where only the
> >>first match counts.
> >
> >That's all fine with me.  But I really don't find "in ascending order"
> >to mean anything in particular.  Is that firewall terminology?  I'd
> >just say something along the lines of "Note that the <strong>last
> >evaluated</strong> Allow or Deny directive sets the final access
> >state."
>         It needs to be clear that a 'Deny' coming after an 'Allow'
> wins. I was thinking of priorities that climb as you advance through
> the passes, as opposed to firewalls, which never see conflicting
> rules because they stop at the first match.

I just don't think "ascending" means anything in this context.  So
just say it explicitly as you do above (and as I do above that).

>         Does this table clarify or just confuse? It could also be
> rendered as a couple bulleted lists, but I think it's helpful to see
> the A,D results in relation to the D,A results.
>         If we can agree on content, I'll convert to XML and submit.
> <table border="1">
>         <tr>
>                 <th>Allow,Deny Match</th>
>                 <th>Allow,Deny Result</th>
>                 <th>Deny,Allow Result</th>
>         </tr><tr>
>                 <th>Match Allow only</th>
>                 <td>Request Allowed</td>
>                 <td>Request Allowed</td>
>         </tr><tr>
>                 <th>Match Deny only</th>
>                 <td>Request Denied</td>
>                 <td>Request Denied</td>
>         </tr><tr>
>                 <th>No match</th>
>                 <td>Default to second directive (Denied)</td>
>                 <td>Default to second directive (Allowed)</td>
>         </tr><tr>
>                 <th>Match both Allow &amp; Deny directives</th>
>                 <td>Final match 'wins': request Denied</td>
>                 <td>Final match 'wins': request Allowed</td>
>         </tr>
> </table>

I like the table.  But I'd replace "Allow,Deny result" with just
"Order allow,deny" (and similarly for Deny,Allow); I'd leave the cell
"Allow,Deny match" blank, and I'd replace "Default to second directive
(Denied)" with "Default condition: request Denied".

By the way, go ahead and commit.  It seems there is general consensus
you are going in the right direction, and details can be cleaned up


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message