httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Mentovai <>
Subject RE: Authentification by password & IP
Date Tue, 16 Jul 2002 14:32:20 GMT
Rich Bowen wrote:
> It is indeed different. Rather than allowing a particular range, it
> denies everyone outside of the two allowed ranges, as required. It then
> requires that the users are either in group1, or provide a password:
> deny from env=NotAllowed
> Allow from env=Group1
> require user foo
> satisfy any
> The deny from is disallowing people outside of the allowed IP blocks, as
> desired. The satisfy any means that either we can be in group1 (defined
> in the setenvif line that you left out) or they can provide a password,
> but only one of the two is required.
> I'm pretty certain that this does indeed do what you want.

When you say "Satisfy Any", you instruct the server that the client must meet 
one of the following requirements:
 - Access permitted by Allow and Deny directives (mod_access)
 - Access permitted by Require directive (authentication)
Either of these alone are sufficient.  If a client is explicitly denied due to 
a Deny, it still has a shot at authentication.  If a client is explicitly 
allowed due to an Allow, it will not be given a 401.

Your solution allows clients in one group access with no password (group 1), 
and clients in the other group access with a password (group 2), which is 
correct.  What it does not do is deny any access to clients not in either 
group.  Instead, it also allows those clients access with a password.  You 
can't use "Satisfy All", because that would allow access to clients in group 1 
with a password (not correct), denying access to group 2 (not correct).

This has nothing to do with mod_setenvif and everything to do with Satisfy.  
Satisfy is too limited to solve this problem on its own.

(There are still other solutions in addition to the one I posted.)


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message