httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Pepper <pep...@reppep.com>
Subject Re: Significance of evaluation order?
Date Sat, 04 Nov 2006 05:11:36 GMT
At 3:57 PM -0500 2006/11/03, Joshua Slive wrote:
>On 11/3/06, Rich Bowen <rbowen@rcbowen.com> wrote:
>>
>>On Nov 3, 2006, at 15:33, robert.kennington@yahoo.com wrote:
>>
>>>    Here are some proposed definitions:
>>>
>>>  Order Allow, Deny:  Initially a flag for each incoming URL is set
>>>  to Deny.  Then all Allow directives (i.e. "Allow foobar.org") are
>>>  applied followed by all Deny directives regardless or which order
>>>  the Allow and Deny directives appear after the Order directive.
>>>
>>>  Order Deny, Allow:  Initially a flag for each incoming URL is set
>>>  to Allow.  Then all Deny directives (i.e. "Allow foobar.org") are
>>>  applied followed by all Allow directives regardless of which order
>>>  the Allow and Deny directives appear after the Order directive.
>>
>>+1. These are an improvement over what we have, and will alleviate
>>much confusion.
>
>I'm all for improvements, but this suggestions has lots of problem:
>- No space after the comma between Allow and Deny.
>- "for each incoming URL" is superfluous and confusing.
>- The mini example "(i.e. ...)" doesn't add anything
>- Why introduce the concept of a "flag"?  I think it just obscures things.
>- It doesn't solve Chris' initially reported confusion, which is that
>it needs to be specified that the last evaluated directive wins.
>
>How about:
>
>Deny,Allow
>The access state is initially set to <em>allowed</em>.  The Deny
>directives are then evaluated, followed by the Allow directives, with
>the last matching directive setting the final access state.  Clients
>are allowed access if they do not match any Deny directive
><strong>or</strong> they do match an Allow directive.
>
>Allow,Deny
>The access state is initially set to <em>denied</em>.  The allow
>directives are then evaluated, followed by the Deny directives, with
>the last matching directive setting the final access state.  Clients
>are allowed access if they do not match any Deny directive
><strong>and</strong> they do match an allow directive.

	I think there should be some explanation of the names (at 
least to help remember what they are). How's this?


The Allow and Deny directives (and the Order directive) control a 
three-pass access control method. The first pass processes all Allow 
or Deny directives, as specified by the Order directive. The second 
pass parses the rest of the directives (Deny or Allow). The third 
"default" pass applies to all requests which do not match either of 
the first two.

Note that Allow and Deny directives are processed <strong>in 
ascending order</strong>, unlike a typical firewall, where only the 
first match counts. Additionally, the order in which lines appear in 
the configuration files is not significant -- all Allow lines are 
processed as a group, and all Deny lines are considered together.

Allow,Deny
First, all Allow directives are evaluated; at least one must match, 
or the request is rejected. Next, all Deny directives are evaluated. 
If any matches, the request is rejected. Last, any requests which do 
not match an Allow or a Deny directive are denied by default.

Deny,Allow
First, all Deny directives are evaluated; if any match, the request 
is denied <strong>unless</strong> it also matches an Allow directive. 
Any requests which do not match any Allow or Deny directives are 
permitted.


						Chris
-- 
Chris Pepper:               <http://www.reppep.com/~pepper/>
                             <http://www.reppep.com/weblog/pepper/>
Rockefeller University:     <http://www.rockefeller.edu/>

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message