mod_authany's check user id hook is registered to run APR_HOOK_FIRST, as is mod_ssl's.
mod_ssl's check user id hook needs to run before anything else that *uses* basic auth because it can create basic auth information from the certificate, for processing by "normal" check user id hooks. Like practically all check user id hooks, mod_authany's hook operates on existing basic auth information, so it must run after mod_ssl's hook. I don't have a crisp understanding of why mod_authany's check user id hook should be registered to run APR_HOOK_FIRST. Any comments on that? I'll try to think on that some more. Note that while the current, single APR_HOOK_FIRST specification applies to both check user id and auth checker hooks, in the original implementation of the module APR_HOOK_FIRST was individually specified for both. (changes to framework magic, apparently to work with Apache 1.3) So the double application of APR_HOOK_FIRST isn't a hint. Beyond the mod_authany question, why doesn't mod_ssl declare its check user id hook really-first if it can generate the basic auth? (Let the extremely limited number of modules which generate basic auth headers fight it out via predecessor/successor lists.) assert(A change to the mod_ssl hook ordering could theoretically break existing modules, so that should be for future releases only.) assert(Whatever is done in mod_ssl, the <2.3 logic in mod_authany needs to ensure that its check user id hook runs after mod_ssl's.)
