Re: Significance of evaluation order?

[Joshua Slive]

On 11/8/06, Chris Pepper <[EMAIL PROTECTED]> wrote:

At 9:40 AM -0500 2006/11/08, Joshua Slive wrote:
>On 11/4/06, Chris Pepper <[EMAIL PROTECTED]> wrote:
>
>>Note that Allow and Deny directives are processed <strong>in
>>ascending order</strong>, unlike a typical firewall, where only the
>>first match counts.
>
>That's all fine with me.  But I really don't find "in ascending order"
>to mean anything in particular.  Is that firewall terminology?  I'd
>just say something along the lines of "Note that the <strong>last
>evaluated</strong> Allow or Deny directive sets the final access
>state."

        It needs to be clear that a 'Deny' coming after an 'Allow'
wins. I was thinking of priorities that climb as you advance through
the passes, as opposed to firewalls, which never see conflicting
rules because they stop at the first match.

I just don't think "ascending" means anything in this context.  So
just say it explicitly as you do above (and as I do above that).

        Does this table clarify or just confuse? It could also be
rendered as a couple bulleted lists, but I think it's helpful to see
the A,D results in relation to the D,A results.

        If we can agree on content, I'll convert to XML and submit.

<table border="1">
        <tr>
                <th>Allow,Deny Match</th>
                <th>Allow,Deny Result</th>
                <th>Deny,Allow Result</th>
        </tr><tr>
                <th>Match Allow only</th>
                <td>Request Allowed</td>
                <td>Request Allowed</td>
        </tr><tr>
                <th>Match Deny only</th>
                <td>Request Denied</td>
                <td>Request Denied</td>
        </tr><tr>
                <th>No match</th>
                <td>Default to second directive (Denied)</td>
                <td>Default to second directive (Allowed)</td>
        </tr><tr>
                <th>Match both Allow &amp; Deny directives</th>
                <td>Final match 'wins': request Denied</td>
                <td>Final match 'wins': request Allowed</td>
        </tr>
</table>

I like the table.  But I'd replace "Allow,Deny result" with just
"Order allow,deny" (and similarly for Deny,Allow); I'd leave the cell
"Allow,Deny match" blank, and I'd replace "Default to second directive
(Denied)" with "Default condition: request Denied".

By the way, go ahead and commit.  It seems there is general consensus
you are going in the right direction, and details can be cleaned up
later.

Joshua.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]