>>> On 4/4/2008 at 11:37 AM, in message <[EMAIL PROTECTED]>, Chris Darroch <[EMAIL PROTECTED]> wrote: > William A. Rowe, Jr. wrote: > >>> I've been working with the 2.4 authn/z stuff a bit lately and >>> what I keep tripping over is that the default authorization merge rule >>> uses OR logic. For example, if I enable mod_access_compat and >>> put in a traditional: >> >> I wonder if anyone would offer a fastfeather talk next week on wed or >> thurs - it's only 15 minutes - to introduce what's upcoming in 2.4? > > I won't be there, but here's a recap of the issue for discussion. > (Caveat: I may be missing something important!) > > With 2.2 and prior versions, one can do something like: > > <Directory /htdocs> > Require valid-user > </Directory> > <Directory /htdocs/admin> > Require user admin > </Directory> > > The logic which is then applied is: > > 1) For all requests under /htdocs, except those under /htdocs/admin, > require any valid user. > 2) For all requests under /htdocs/admin, require the "admin" user. > > With 2.4, unless I'm missing something, the same configuration > produces the logic: > > 1) For all requests under /htdocs, except those under /htdocs/admin, > require any valid user. > 2) For all requests under /htdocs/admin, require any valid user OR > require the user "admin". Of course this grants any valid user access. > > To get the old behaviour, you seem to need to add > "AuthzMergeRules Off" to the second <Directory>. I just tested > versions of this configuration with 2.2 and 2.4 and I think I'm > describing the situation correctly. Assuming I am, I fear this > will surprise a lot of people who think they've secured their > systems after upgrading. It certainly caught me short. > > Perhaps the default AuthzMergeRules setting should be Off rather > than On, at least when merging across configuration blocks? >
So here was the thinking behind it when AuthzMergeRules was introduced. Maybe there is still a bug here that needs to be addressed. http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/[EMAIL PROTECTED] http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/[EMAIL PROTECTED] Brad
