Graham Leggett wrote:
> Hi all,
>
> I have a config like this using httpd v2.4, in an effort to password protect
> each person's userdir:
>
> <RequireAll>
> Require valid-user
> Require expr %{note:mod_userdir_user} == %{REMOTE_USER}
> </RequireAll>
>
> Hit it with a browser, and instead of 401 Unauthorized I'm getting 403
> Forbidden instead, which prevents the basic authentication from kicking in
> and the user is denied.
>
> The log however shows something odd - despite the RequireAll directive being
> used, which implies AND behaviour, which in turn implies that require lines
> should be parsed until the first one fails and then the parsing should stop,
> both require lines are being evaluated even though the first line failed, and
> the result of the second require line is being sent instead.
>
> [Thu Aug 02 23:35:08.874887 2012] [authz_core:debug] [pid 19527:tid
> 1100466496] mod_authz_core.c(783): [client 127.0.0.1:50635] AH01626:
> authorization result of Require valid-user : denied (no authenticated user
> yet)
> [Thu Aug 02 23:35:08.875130 2012] [authz_core:debug] [pid 19527:tid
> 1100466496] mod_authz_core.c(783): [client 127.0.0.1:50635] AH01626:
> authorization result of Require expr %{note:mod_userdir_user} ==
> %{REMOTE_USER}: denied
> [Thu Aug 02 23:35:08.875153 2012] [authz_core:debug] [pid 19527:tid
> 1100466496] mod_authz_core.c(783): [client 127.0.0.1:50635] AH01626:
> authorization result of <RequireAll>: denied
>
> In theory, in the RequireAll situation, require directives should be parsed
> until one fails, and the result of that failure returned to the client. All
> further require lines should be ignored as is standard behaviour for AND
> implementations. In the example above, the "authorization result of Require
> valid-user : denied (no authenticated user yet)" part should prevent the
> "authorization result of Require expr %{note:mod_userdir_user} ==
> %{REMOTE_USER}: denied" part from being attempted at all.
>
> Can someone check whether my thinking is correct?
Sounds correct.
Regards
RĂ¼diger
