> -----Original Message-----
> From: William A. Rowe, Jr. [mailto:[EMAIL PROTECTED]]
> > 2. It encourages people to use <Location> where they should be
> using <Directory>.
> > (Imagine if you protected this <Location> block with basic
> auth, but forgot
> > that another URL can access the same directory.)
>
> Wouldn't matter. The beauty is that the <Location > protection
> is applied again.
> In some Location's - relative to a virtual host, I allow DAV
> access to a branch
> of the filename space. In others, I don't allow DAV, but I allow
> the usual GET/POST.
>
Sure, <Location> is great for some special cases. But we have always, in
general, recommended that <Directory> be used wherever possible if you are
dealing with the filesystem. There are just too many ways for multiple URLs
to map to a directory.
Imagine:
DocumentRoot /www
<Location /foo>
MapToFilePath /www/bar
Require valid-user
</Location>
Now request http://example.com/FOO/
What would happen on a case-insensitive file system? I don't know the
answer, but there are tons of special cases like this. (Another example:
Suppose that LocationMatch was used instead of location and the request was
for http://example.com//FOO/. This would certainly bypass auth.)
Your suggestion does not create any new problems (all of these things can
also happen with Alias), but it encourages people to use a configuration
that can be less secure.
Other than that, I agree it is cute and useful.
Joshua.
