On 12/23/15 11:16 AM, Sergei Gerasenko wrote: > On the other hand, if you have 'require user u1 u2', then the 'requires' > argument is not an array but the string "u1 u2", which needs to be split.
For what its worth, I have released AuthCookie v3.24 with a fix to the (AuthCookie) built in authz provider that handles "Require user" directives that now behaves more like the one in apache core. That is, it splits the string on whitespace and processes each username in turn, returning AUTHZ_GRANTED at the first match. This is exactly what mod_authz_user does. It is worth noting that although previous versions of AuthCookie said you must use: PerlAddAuthzProvider user Your::AuthCookie::Handler->authz_handler This is not actually true. If you do not specify a "user" authz provider, then the one provided by mod_authz_user will be used instead (and is preferrable). One other thing to be aware of in terms of how AAA works in Apache 2.4 is that your authz provider methods will *always* be called twice. First your authz provider will be called before authentication has been processed ($r->user is not set). This is to provide the opportunity to allow anonymous access. If you return AUTHZ_DENIED_NO_USER, then authentication will proceed and your authz_provider will be called a second time with $r->user set to the authenticated username. I have fleshed out the documentation for this in README.apache-2.4.pod in the AuthCookie dist, as well as in the Apache2_4::AuthCookie POD documentation. The AuthCookie documentation probably could be better, and I think by the next release I'll absorb/copy most of what is in the README.apache-2.4 document into the module POD itself. Regards, Michael Schout
