> Takashi Sato wrote: > > > http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#matchall > > "If none of the directives contained within the <MatchAll> directive fails, > > and at least one succeeds, then the <MatchAll> directive succeeds. " > > > > According to this, following config would grant an access from 127.0.0.1 > > with no username/password. > > > > <Location /server-info> > > SetHandler server-info > > > > AuthType Digest > > AuthName "private area" > > AuthUserFile "/var/www/password" > > > > Match valid-user > > Match ip 127.0.0.0/8 > > </Location> > > > > But actually 127.0.0.1 needs to be "valid-user". > > Yes, that's true, because the "valid-user" authz provider will > succeed for any request with a login (it assumes the authn providers > have authenticated that login), but fail for any request without > a login. So in the case you describe, it fails, which means the block > as a whole fails (since one or more of the directives failed). > > There are certainly some subtle aspects to all of this, in particular, > the way that "positive" directives (like Match and Require) can only > return success or failure, while "negated" directives can only return > failure or a neutral value. Then you've got the specific action of > the various authz providers.
Thanks for explanation. I thought "positive" directives can only return success or neutral value. > Here I might think we want to add a note to the docs on the > valid-user provider that it fails if there's no login. Would that help, > do you think? I'm looking at mod_authz_user.xml, and IMHO it is sufficient. I feel like add something to mod_authz_core. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
