You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Joshua Slive <jo...@slive.ca> on 2006/01/13 16:19:39 UTC
Re: Merging branch authz-dev - Authorization and Access Control 2.3vs. 2.2
On 1/12/06, Brad Nicholes <bn...@novell.com> wrote:
> OK, try this on for size. Since Order,Allow,Deny are all hooked at
> the access_checker stage, we should be able to add these directives back
> in and allow them to function normally. The real problem is 'Satisfy'
> because it had its fingers into the middle of
> ap_process_request_internal(). So to get around this problem, I added
> the directive back into mod_authz_host (along with Order,Allow,Deny) and
> let it do it thing also. 'Satisfy All' is the default (as it was
> before) meaning that if the access_checker fails or the authz_checker
> fails, then the entire request fails. But if 'Satisfy Any' is specified
> then if the access_checker fails, it makes a note of that fact in the
> request_rec->notes and defers to the authz_checker. If the
> authz_checker fails, obviously the request fails. But if the request
> makes it all the way to the mod_authz_default handler, this handler
> checks the note and determines whether or not to authorize or reject the
> request based on what the current state of both access control and
> authz.
>
> So what this means is that Order,Allow,Deny,Satisfy are back and
> *should* function as before along side of the new authz model. This
> should resolve the backward compatibility issue with the following
> caveat. Both mod_authn_default and mod_authz_default modules must be
> loaded. These module implement the catch-all handlers that allow things
> to work if no authn or authz is implemented for a <Directory> or
> <Location>. Otherwise access is automatically denied. What I would like
> to see is the above *should* confirmed to be a *do*. In other words, I
> am looking for some help testing this. Any takers? So far my testing
> shows that things are good.
The idea seems right to me. I'll try to find time to do some testing,
but I'm pretty backed-up at the moment.
I would consider moving this compat code into mod_access_compat or
something of the like so that it would be easy for people to select
whether they want the clean new system or a mix of the new and old
system. Since this change will not come until at least 2.4, I think
it is acceptable to have module name changes (as we did from 2.0 to
2.2).
Joshua.
Re: Merging branch authz-dev - Authorization and Access
Control 2.3vs. 2.2
Posted by Brad Nicholes <BN...@novell.com>.
>>> On 1/13/2006 at 8:19:39 am, in message
<e4...@mail.gmail.com>,
joshua@slive.ca
wrote:
> I would consider moving this compat code into mod_access_compat or
> something of the like so that it would be easy for people to select
> whether they want the clean new system or a mix of the new and old
> system. Since this change will not come until at least 2.4, I think
> it is acceptable to have module name changes (as we did from 2.0 to
> 2.2).
>
> Joshua.
I'm OK with that. I will rework the patch into a mod_access_compat
module.
Brad