On 06 Aug 2012, at 12:01 AM, Stefan Fritsch wrote: > The API is currently such that an authz provider must return > AUTHZ_DENIED_NO_USER instead of AUTHZ_DENIED if its result may change > after authentication. Require expr in 2.4.2 does not do that. But it > will be fixed in 2.4.3 with > > http://svn.apache.org/viewvc?view=revision&revision=1364266
I'm away for part of this week, I'll try this out when I get back. My concern at the API is that it seems that some of the Require lines are AUTHN related, while others are AUTHZ. In theory, if a single Require check fails AUTHN, it nullifies AUTHZ - you cannot know if the AUTHZ would have succeeded or failed until AUTHN has occurred successfully. This in turn means that if a line like "Require valid-user" fails, you can draw no conclusion about any of the AUTHZ lines, they might have succeeded, they might have failed, impossible to know with the information at hand. Regards, Graham --
smime.p7s
Description: S/MIME cryptographic signature
