At 9:40 AM -0500 2006/11/08, Joshua Slive wrote:
On 11/4/06, Chris Pepper <[EMAIL PROTECTED]> wrote:Note that Allow and Deny directives are processed <strong>in ascending order</strong>, unlike a typical firewall, where only the first match counts.That's all fine with me. But I really don't find "in ascending order" to mean anything in particular. Is that firewall terminology? I'd just say something along the lines of "Note that the <strong>last evaluated</strong> Allow or Deny directive sets the final access state."
It needs to be clear that a 'Deny' coming after an 'Allow' wins. I was thinking of priorities that climb as you advance through the passes, as opposed to firewalls, which never see conflicting rules because they stop at the first match.
Does this table clarify or just confuse? It could also be rendered as a couple bulleted lists, but I think it's helpful to see the A,D results in relation to the D,A results.
If we can agree on content, I'll convert to XML and submit.
<table border="1">
<tr>
<th>Allow,Deny Match</th>
<th>Allow,Deny Result</th>
<th>Deny,Allow Result</th>
</tr><tr>
<th>Match Allow only</th>
<td>Request Allowed</td>
<td>Request Allowed</td>
</tr><tr>
<th>Match Deny only</th>
<td>Request Denied</td>
<td>Request Denied</td>
</tr><tr>
<th>No match</th>
<td>Default to second directive (Denied)</td>
<td>Default to second directive (Allowed)</td>
</tr><tr>
<th>Match both Allow & Deny directives</th>
<td>Final match 'wins': request Denied</td>
<td>Final match 'wins': request Allowed</td>
</tr>
</table>
Thanks,
Chris
--
Chris Pepper: <http://www.reppep.com/~pepper/>
<http://www.reppep.com/weblog/pepper/>
Rockefeller University: <http://www.rockefeller.edu/>Title: Proposed Order
Clarification
The Allow and Deny directives (and the Order directive) control a three-pass access control method. The first pass processes all Allow or Deny directives, as specified by the Order directive. The second pass parses the rest of the directives (Deny or Allow). The third "default" pass applies to all requests which do not match either of the first two.
Note that Allow and Deny directives are processed in ascending order, unlike a typical firewall, where only the first match counts. Additionally, the order in which lines appear in the configuration files is not significant -- all Allow lines are processed as a group, and all Deny lines are considered together.
Allow,Deny
First, all Allow directives are evaluated; at least one must match, or the request is rejected. Next, all Deny directives are evaluated. If any matches, the request is rejected. Last, any requests which do not match an Allow or a Deny directive are denied by default.
Deny,Allow
First, all Deny directives are evaluated; if any match, the request is denied unless it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
| Allow,Deny Match | Allow,Deny Result | Deny,Allow Result |
|---|---|---|
| Match Allow only | Request Allowed | Request Allowed |
| Match Deny only | Request Denied | Request Denied |
| No match | Default to second directive (Denied) | Default to second directive (Allowed) |
| Match both Allow & Deny directives | Final match 'wins': request Denied | Final match 'wins': request Allowed |
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
