On 8/15/2012 7:45 AM, Rainer Jung wrote: > On 14.08.2012 23:30, Ben Johnson wrote: >> Hello, >> >> I've scoured the Internet for examples of how to implement logical >> operators where the "require" directive is concerned. >> >> The dearth of documentation and discussion regarding this subject leads >> me to believe that it has not been implemented, or was implemented at >> one time and then removed. >> >> This is the most thorough discussion I can find on the subject, which >> dead-ends: >> http://www.mombu.com/programming/linux/t-apache-22-both-require-user-and-require-group-739013.html >> >> >> My location block, which, at present, only allows one group >> ("programmers"), looks something like this: >> >> <Location /svn/project> >> AuthType Basic >> AuthName "SVN Repository" >> AuthBasicProvider dbm >> AuthDBMType DB >> AuthDBMUserFile "/var/www/apache-users" >> AuthDBMGroupFile "/var/www/apache-users" >> require group programmers >> DAV svn >> AuthzSVNAccessFile /var/www/projects/svn-access-control.cfg >> SVNPath /var/www/svn/project >> </Location> >> >> Ideally, I wish to do something like the following (I'm using >> pseudo-code here, because it's probably easier to understand than plain >> English): >> >> if ($group === 'programmers' || ($group === 'clients && $user === >> 'joe')) { >> //Allow access. >> } >> else { >> //Deny access. >> } >> >> Is this possible? Or do I need to give-up on controlling authentication >> at this level and instead focus on authorization within >> "svn-access-control.cfg"? >> >> Thanks for any help! > > You might be looking for the RequireAny and RequireAll container > directives: > > http://httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall > > See also > > httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall > > and finally the How To > > http://httpd.apache.org/docs/2.4/en/howto/auth.html > > Regards, > > Rainer
Thanks, Rainer! This is exactly what I was looking for: the ability to implement complex authorization containers. That said, as I explained in my reply to Hugh (on this same subject), it seems that the AuthzSVN module (and the directives defined in AuthzSVNAccessFile) is taking precedence over Basic authorization module. I found the following excerpt at http://www.csparks.com/Subversion.xhtml : "The Satisfy Any directive tells Apache to allow access if either the Allow directive is satisfied or one of the Auth modules is satified. The "Allow from all" is always satisfied. But we have two Auth modules: AuthzSVN and AuthDigest. In this case AuthzSVN will look into the svnusers.conf file. If no user name is required for the requested resource, no prompt for authentication will occur. But if a username is required, the AuthDigest module will come into play and prompt for credentials. The authorized name is allowed to do whatever the AuthzSVNAccessFile permits." This statement seems consistent with the observed behavior. And it bears mention that in my example directives (and those at the above-cited resource), "require" directives come before the "AuthzSVNAccessFile" directive, which seems to indicate that the order is irrelevant. Do you have any experience or advice in this regard? Basically, I am trying to determine how much of the access control should be done in the <Location></Location> block and how much of it should be done in the AuthzSVNAccessFile. My primary concern is that we have dozens of SVN repositories and I don't want to have to define the "[groups]" for every single repository when the groups are the same for all of them. In fact, I would prefer to use a single AuthzSVNAccessFile that has some very basic rules and handle all other aspects of access control in the Location blocks in which each repository is defined. Does this make any sense at all? Thanks again, -Ben --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
