Login | Register For Free | Help	Search this list this category for: (Advanced)

Mailing List Archive: Apache: Dev RequireAll: seems to evaluate require lines unnecessarily   Index | Next | Previous | View Flat

minfrin at sharp Aug 2, 2012, 2:49 PM Views: 365 Permalink RequireAll: seems to evaluate require lines unnecessarily Hi all, I have a config like this using httpd v2.4, in an effort to password protect each person's userdir: <RequireAll> Require valid-user Require expr %{note:mod_userdir_user} == %{REMOTE_USER} </RequireAll> Hit it with a browser, and instead of 401 Unauthorized I'm getting 403 Forbidden instead, which prevents the basic authentication from kicking in and the user is denied. The log however shows something odd - despite the RequireAll directive being used, which implies AND behaviour, which in turn implies that require lines should be parsed until the first one fails and then the parsing should stop, both require lines are being evaluated even though the first line failed, and the result of the second require line is being sent instead. [Thu Aug 02 23:35:08.874887 2012] [authz_core:debug] [pid 19527:tid 1100466496] mod_authz_core.c(783): [client 127.0.0.1:50635] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Thu Aug 02 23:35:08.875130 2012] [authz_core:debug] [pid 19527:tid 1100466496] mod_authz_core.c(783): [client 127.0.0.1:50635] AH01626: authorization result of Require expr %{note:mod_userdir_user} == %{REMOTE_USER}: denied [Thu Aug 02 23:35:08.875153 2012] [authz_core:debug] [pid 19527:tid 1100466496] mod_authz_core.c(783): [client 127.0.0.1:50635] AH01626: authorization result of <RequireAll>: denied In theory, in the RequireAll situation, require directives should be parsed until one fails, and the result of that failure returned to the client. All further require lines should be ignored as is standard behaviour for AND implementations. In the example above, the "authorization result of Require valid-user : denied (no authenticated user yet)" part should prevent the "authorization result of Require expr %{note:mod_userdir_user} == %{REMOTE_USER}: denied" part from being attempted at all. Can someone check whether my thinking is correct? Regards, Graham -- Attachments: smime.p7s (4.26 KB)

Subject User Time RequireAll: seems to evaluate require lines unnecessarily minfrin at sharp Aug 2, 2012, 2:49 PM     Re: RequireAll: seems to evaluate require lines unnecessarily rpluem at apache Aug 2, 2012, 11:47 PM     Re: RequireAll: seems to evaluate require lines unnecessarily sf at sfritsch Aug 3, 2012, 12:25 AM         Re: RequireAll: seems to evaluate require lines unnecessarily minfrin at sharp Aug 5, 2012, 11:56 AM             Re: RequireAll: seems to evaluate require lines unnecessarily sf at sfritsch Aug 5, 2012, 1:39 PM     Re: RequireAll: seems to evaluate require lines unnecessarily minfrin at sharp Aug 5, 2012, 2:52 PM         Re: RequireAll: seems to evaluate require lines unnecessarily sf at sfritsch Aug 5, 2012, 3:01 PM             Re: RequireAll: seems to evaluate require lines unnecessarily minfrin at sharp Aug 6, 2012, 10:05 AM

Index | Next | Previous | View Flat   Apache     Announce     Users     Dev     Bugs     CVS     Docs

Interested in having your list archived? Contact Gossamer Threads
 

Web Applications & Managed Hosting Powered by Gossamer Threads Inc.