Begin forwarded message: Date: Mon, 17 Nov 2008 09:27:03 -0800 From: Chris Darroch <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: MatchAll description
From: Chris Darroch <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: MatchAll description Date: Mon, 17 Nov 2008 09:27:03 -0800 Organization: Pearson CMG/CTG User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080925 SeaMonkey/1.1.12 Takashi Sato wrote: > http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#matchall > "If none of the directives contained within the <MatchAll> directive fails, > and at least one succeeds, then the <MatchAll> directive succeeds. " > > According to this, following config would grant an access from 127.0.0.1 > with no username/password. > > <Location /server-info> > SetHandler server-info > > AuthType Digest > AuthName "private area" > AuthUserFile "/var/www/password" > > Match valid-user > Match ip 127.0.0.0/8 > </Location> > > But actually 127.0.0.1 needs to be "valid-user". Yes, that's true, because the "valid-user" authz provider will succeed for any request with a login (it assumes the authn providers have authenticated that login), but fail for any request without a login. So in the case you describe, it fails, which means the block as a whole fails (since one or more of the directives failed). There are certainly some subtle aspects to all of this, in particular, the way that "positive" directives (like Match and Require) can only return success or failure, while "negated" directives can only return failure or a neutral value. Then you've got the specific action of the various authz providers. Here I might think we want to add a note to the docs on the valid-user provider that it fails if there's no login. Would that help, do you think? Chris. -- GPG Key ID: 366A375B GPG Key Fingerprint: 485E 5041 17E1 E2BB C263 E4DE C8E3 FA36 366A 375B --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
