While doing this patch (and ending up with 3 very small modules); I found
the following legacy behaviour. Any feels as to if we shall kill these
surprizing behaviourisms in 2.0 or stay as close to 1.3 as possibe ?:
-> if there are no requires - but there is Auth happening
we actively OK.
-> If there are no requires for the method (but there are
requires for that directory for other methods)
we actively OK.
-> If we have for example a (Group,..)File but opening it failes
then we ignore any 'require group' and DECLINE to other modules.
Proposal to fixing these leaks (comment now or wait for code) and allowing
small footprint modules to take part of the process over:
-> mod_auth_file
auth UserID/passwd against file
DECLINE if no file configured
ERROR if file read error (was DECLINE/UNAUTH)
OK if ok
DECLINE if UID not found & non-authoritative
UNAUTH otherwise
-> mod_auth_groupfile
checks UserID against required 'require (valid-)group'
DECLINE if no requirements at all (was OK)
DECLINE if no group file configurued
ERROR if file read error (was IGNORE)
OK if in a group
DECLINE if no applicable method requirments (was OK)
DECLINE if no recognized method requirements
DECLINE if not authoritative and not in recognized groups.
UNAUTH otherwsie
-> mod_require_user
checks UserID against required 'require (valid-)user'
DECLINE if no requirements at all (was OK)
OK if in the list /valid user
DECLINE if no applicable method requirements. (was OK)
DECLINE if no recognized requirements
DECLINE if there are lists, not in list but non
authoritative
UNAUTH otherwise
And then - to get closer to the old apache:
-> mod_auth_default
auth DECLINE if no Basic Auth header/r->user.
DECLINE if not authoritative
UNAUTH otherwise
check DECLINE if no r->user
OK if no requires (*)
OK if no applicable method requirements (*)
DECLINE if not authoriative
UNAUTH otherwise
*: I.e. in mod_auth_default we 'fix' to get closer to the behaviour from
1.3; An alternative would be to not do this and change to always UNAUTH
then when there is r->user information provided and not authoritative.
I do want to allow fall through - so that a perl/php/java backend is able
to get access if/when needed. Thus:
-> apache core
auth OK
check OK
Of course - the mod_auth_default could also be in the core of the http
proocol handling.
Does this make sense ?
Dw.
--
Dirk-Willem van Gulik
