>>> On 8/2/2006 at 1:38 PM, in message <[EMAIL PROTECTED]>, Ruediger Pluem <[EMAIL PROTECTED]> wrote:
> > On 08/02/2006 12:54 AM, [EMAIL PROTECTED] wrote: >> Author: bnicholes >> Date: Tue Aug 1 15:54:38 2006 >> New Revision: 427780 >> >> URL: http://svn.apache.org/viewvc?rev=427780&view=rev >> Log: >> Converted the reject directive to be definitive and enabled directory_merge > to merge all of the authorization rules and logic. >> >> Modified: >> httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml >> httpd/httpd/trunk/modules/aaa/mod_auth.h >> httpd/httpd/trunk/modules/aaa/mod_authz_core.c >> >> Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml >> URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_core > .xml?rev=427780&r1=427779&r2=427780&view=diff >> > ============================================================================= > = >> --- httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml (original) >> +++ httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml Tue Aug 1 15:54:38 > 2006 >> @@ -112,8 +112,8 @@ >> >> <directivesynopsis> >> <name>Reject</name> >> -<description>Rejects which authenticated users can access >> -a resource</description> >> +<description>Rejects authenticated users or host based >> +requests from accessing a resource</description> >> <syntax>Reject <var>entity-name</var> [<var>entity-name</var>] ...</syntax> >> <contextlist><context>directory</context><context>.htaccess</context> >> </contextlist> >> @@ -122,10 +122,12 @@ >> <usage> >> <p>This directive is similar to the >> <directive module="mod_authz_core">Require</directive> directive however >> - it rejects which authenticated users can access a resource. The >> + it rejects which authenticated users or host based requests from > accessing a resource. The >> restrictions are processed by authorization modules. See the >> <directive module="mod_authz_core">Require</directive> directive for > details >> - about usage.</p> >> + about usage. If found as part of the authorization rules, the reject > directive >> + is definitive. In other words, if the reject statements is satisfied, > the entire request >> + is automatically rejected no matter what other require rules may >exist.</p> >> </usage> >> >> <seealso><a href="../howto/auth.html">Authentication, Authorization, >> @@ -220,6 +222,31 @@ >> >> <seealso><a href="../howto/auth.html">Authentication, Authorization, >> and Access Control</a></seealso> >> + >> +</directivesynopsis> >> + >> +<directivesynopsis type="section"> >> +<name>AuthzMergeRules</name> >> +<description>Set to 'on' to allow the parent's <Directory> or > <Location> >> +authz rules to be merged into the current <Directory> or > <Location>. >> +Set to 'off' to disable merging. If set to 'off', only the authz rules > defined in >> +the current <Directory> or <Location> block will >> apply.</description> >> +<syntax>AuthMergeRules on | off</syntax> >> +<default>AuthMergeRules on</default> >> +<contextlist><context>directory</context><context>.htaccess</context> >> +</contextlist> >> +<override>AuthConfig</override> >> + >> +<usage> >> + <p>By default all of the authorization rules within a <Directory> >> + <Location> hierarchy are merged together to form a single >> + logical authorization operation. If AuthzMergeRules is set to 'on', > then > > Shouldn't that be 'off' above? > > Regards > > RĂ¼dige No, the default is to merge authz rules. At least that is how I understood access control to be working by default in the past. There was no concept of inherited authz before 2.3. Also, Joshua pointed out a flaw in my thinking which I am looking into now. Brad
