httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Takashi Sato <taka...@lans-tv.com>
Subject Fw: Re: MatchAll description
Date Mon, 24 Nov 2008 15:17:39 GMT
Begin forwarded message:

Date: Mon, 17 Nov 2008 09:27:03 -0800
From: Chris Darroch <chrisd@pearsoncmg.com>
To: doc@httpd.apache.org
Cc: takashi@lans-tv.com
Subject: Re: MatchAll description


From: Chris Darroch <chrisd@pearsoncmg.com>
To: doc@httpd.apache.org
CC: takashi@lans-tv.com
Subject: Re: MatchAll description
Date: Mon, 17 Nov 2008 09:27:03 -0800
Organization: Pearson CMG/CTG
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080925 SeaMonkey/1.1.12

Takashi Sato wrote:

> http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#matchall
> "If none of the directives contained within the <MatchAll> directive fails, 
> and at least one succeeds, then the <MatchAll> directive succeeds. "
> 
> According to this, following config would grant an access from 127.0.0.1
> with no username/password.
> 
> <Location /server-info>
> 	SetHandler server-info
> 
> 	AuthType Digest
>       AuthName "private area"
>       AuthUserFile "/var/www/password"
> 
> 	Match valid-user
> 	Match ip 127.0.0.0/8
> </Location>
> 
> But actually 127.0.0.1 needs to be "valid-user".

   Yes, that's true, because the "valid-user" authz provider will
succeed for any request with a login (it assumes the authn providers
have authenticated that login), but fail for any request without
a login.  So in the case you describe, it fails, which means the block
as a whole fails (since one or more of the directives failed).

   There are certainly some subtle aspects to all of this, in particular,
the way that "positive" directives (like Match and Require) can only
return success or failure, while "negated" directives can only return
failure or a neutral value.  Then you've got the specific action of
the various authz providers.

   Here I might think we want to add a note to the docs on the
valid-user provider that it fails if there's no login.  Would that help,
do you think?

Chris.

-- 
GPG Key ID: 366A375B
GPG Key Fingerprint: 485E 5041 17E1 E2BB C263  E4DE C8E3 FA36 366A 375B

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message