Mailing List Archive: Apache: Docs

Fw: Re: MatchAll description

Index | Next | Previous | View Threaded

takashi at lans-tv

Nov 24, 2008, 7:17 AM

Post #1 of 2 (985 views)
Permalink

Fw: Re: MatchAll description

Begin forwarded message:

Date: Mon, 17 Nov 2008 09:27:03 -0800
From: Chris Darroch <chrisd [at] pearsoncmg>
To: doc [at] httpd
Cc: takashi [at] lans-tv
Subject: Re: MatchAll description

From: Chris Darroch <chrisd [at] pearsoncmg>
To: doc [at] httpd
CC: takashi [at] lans-tv
Subject: Re: MatchAll description
Date: Mon, 17 Nov 2008 09:27:03 -0800
Organization: Pearson CMG/CTG
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080925 SeaMonkey/1.1.12

Takashi Sato wrote:

> http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#matchall
> "If none of the directives contained within the <MatchAll> directive fails,
> and at least one succeeds, then the <MatchAll> directive succeeds. "
>
> According to this, following config would grant an access from 127.0.0.1
> with no username/password.
>
> <Location /server-info>
> SetHandler server-info
>
> AuthType Digest
> AuthName "private area"
> AuthUserFile "/var/www/password"
>
> Match valid-user
> Match ip 127.0.0.0/8
> </Location>
>
> But actually 127.0.0.1 needs to be "valid-user".

Yes, that's true, because the "valid-user" authz provider will
succeed for any request with a login (it assumes the authn providers
have authenticated that login), but fail for any request without
a login. So in the case you describe, it fails, which means the block
as a whole fails (since one or more of the directives failed).

There are certainly some subtle aspects to all of this, in particular,
the way that "positive" directives (like Match and Require) can only
return success or failure, while "negated" directives can only return
failure or a neutral value. Then you've got the specific action of
the various authz providers.

Here I might think we want to add a note to the docs on the
valid-user provider that it fails if there's no login. Would that help,
do you think?

Chris.

--
GPG Key ID: 366A375B
GPG Key Fingerprint: 485E 5041 17E1 E2BB C263 E4DE C8E3 FA36 366A 375B

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe [at] httpd
For additional commands, e-mail: docs-help [at] httpd

takashi at lans-tv

Nov 24, 2008, 7:50 AM

Post #2 of 2 (915 views)
Permalink

Re: MatchAll description [In reply to]

> Takashi Sato wrote:
>
> > http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#matchall
> > "If none of the directives contained within the <MatchAll> directive fails,
> > and at least one succeeds, then the <MatchAll> directive succeeds. "
> >
> > According to this, following config would grant an access from 127.0.0.1
> > with no username/password.
> >
> > <Location /server-info>
> > SetHandler server-info
> >
> > AuthType Digest
> > AuthName "private area"
> > AuthUserFile "/var/www/password"
> >
> > Match valid-user
> > Match ip 127.0.0.0/8
> > </Location>
> >
> > But actually 127.0.0.1 needs to be "valid-user".
>
> Yes, that's true, because the "valid-user" authz provider will
> succeed for any request with a login (it assumes the authn providers
> have authenticated that login), but fail for any request without
> a login. So in the case you describe, it fails, which means the block
> as a whole fails (since one or more of the directives failed).
>
> There are certainly some subtle aspects to all of this, in particular,
> the way that "positive" directives (like Match and Require) can only
> return success or failure, while "negated" directives can only return
> failure or a neutral value. Then you've got the specific action of
> the various authz providers.

Thanks for explanation. I thought "positive" directives can only return
success or neutral value.

> Here I might think we want to add a note to the docs on the
> valid-user provider that it fails if there's no login. Would that help,
> do you think?

I'm looking at mod_authz_user.xml, and IMHO it is sufficient.
I feel like add something to mod_authz_core.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe [at] httpd
For additional commands, e-mail: docs-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads