>>> On 4/30/2007 at 9:54 AM, in message <[EMAIL PROTECTED]>, "Joshua Slive" <[EMAIL PROTECTED]> wrote: > On 4/27/07, Brad Nicholes <[EMAIL PROTECTED]> wrote: > >> >> It's beginning to look like Order, Allow, Deny, Satisfy can't be deprecated > after all. However I still think that there is a usefulness for the same > type of authorization rules defined by "require". >> > > I don't really understand why you say this. Isn't it just a question > of defining the order of evaluation of <SatisfyOne> blocks? And the > proper order seems quite straight-forward to me. > > Joshua.
Well, the reason why is because of the order in which the hooks are called . We have three different hooks, access_checker, check_user_id and auth_checker. Basically, to give the hooks more understandable names, we have access_control, authentication and authorization. The directives that cause these hooks to be invoked are: Order, Allow from, Deny from- access_control hook AuthBasicProvider, AuthDigestProvider - Authentication hook Require - Authorization hook With the host based directives moving from "Allow from [host|IP|ENV]", "Deny From [host|IP|ENV]" to "Require [host|IP|ENV]", "Reject [host|IP|ENV]", the access control functionality moved from the access_control hook to the Authorization hook. This works great until you try to throw authentication into the mix. If your intention was to avoid a credentials challenge through access control, as soon as you include authentication, the check_user_id hook gets called and the first thing that happens is a check for the user name and password in the request header. If it isn't there, the challenge is sent back to the browser and the browser prompts for the user name and password. In this case there was no chance for "Require [host|IP]" to even have a crack at satisfying the request since the authorization hook was never called. When I implemented this I thought I had all of the bases covered but apparently not (which is why I would like to see us at least roll an alpha of 2.3 so this stuff would get some visibility). There seems to be cases where access control and authorization should be separate. So I am starting to see the need to retain Order, Allow, Deny, Satisfy so that in cases where access control needs to happen outside of authorization, it can. I don't really like having to retain those directives, because it makes access control and authorization a little more confusing. Better ideas? Brad