You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by di...@covalent.net on 2002/07/11 15:40:16 UTC

Auth - what should happen

Opinions - not on what happens to day in 1.3 but what should happen in a
perfect world:

Given a config like this:

	<Directory /my/secrets>
	AuthType 	basic
	AuthName	Restricted area
	</Directory>

What should happen ? Allowed in with, or without a password ? What would
users feel as most logical ?

Then
	<Directory /my/secrets>
	AuthType 	basic
	AuthName	Restricted area
	<Limit POST>
		require valid-user
	</Limit>
	</Directory>

Same here when using a GET. (Note - I've not even started with 'allow
from' or 'satisfy any complexity).

Thanks,

Dw
-- 
Dirk-Willem van Gulik

Re: Auth - what should happen

Posted by di...@covalent.net.

> note that this situation is a bit different from the others since the
> apache core will pass ALL requirements (limited or not) to every auth
> module.  Each individual auth module can make its own decision in this
> case (i.e. there are requirements for some methods and no requirements
> for other methods).  This is along that grey line of 'this is how the
> "standard" auth modules deal with this situation' - not 'this is how auth
> will work in apache'.

But solving that would mean an overhaul of the require parsing; i.e. allow
modules to 'claim' those - akin to how they claim Directives.

Dw.

Re: Auth - what should happen

Posted by jo...@sterls.com.

On Mon, 22 Jul 2002, Rodent of Unusual Size wrote:

> dirkx@covalent.net wrote:
> >
...snip
> >
> >         <Directory /my/secrets>
> >         AuthType        basic
> >         AuthName        Restricted area
> >         <Limit POST>
> >                 require valid-user
> >         </Limit>
> >         </Directory>
> >
> > Same here when using a GET. (Note - I've not even started with 'allow
> > from' or 'satisfy any complexity).
>
> Do exactly what it says to do, no more and no less: only apply
> restrictions for POST requests.  Maybe it isn't what they intended,
> but trying to be smarter that the user will not only get us in
> trouble, but will also treble the confusion and support queries in
> an already confusing area.

note that this situation is a bit different from the others since the
apache core will pass ALL requirements (limited or not) to every auth
module.  Each individual auth module can make its own decision in this
case (i.e. there are requirements for some methods and no requirements
for other methods).  This is along that grey line of 'this is how the
"standard" auth modules deal with this situation' - not 'this is how auth
will work in apache'.

sterling

Re: Auth - what should happen

Posted by di...@covalent.net.

> DON'T second-guess them.  Since no restrictions have been put in place,
> don't try to apply any.  There may be Auth*File and Require directives
> in .htaccess files within the above scope -- you don't know.

Good point - I'll change that in the version I have now.

Dw.

Re: Auth - what should happen

Posted by Rodent of Unusual Size <Ke...@Golux.Com>.

dirkx@covalent.net wrote:
> 
> Opinions - not on what happens to day in 1.3 but what should happen in a
> perfect world:
> 
> Given a config like this:
> 
>         <Directory /my/secrets>
>         AuthType        basic
>         AuthName        Restricted area
>         </Directory>
> 
> What should happen ? Allowed in with, or without a password ? What would
> users feel as most logical ?

DON'T second-guess them.  Since no restrictions have been put in place,
don't try to apply any.  There may be Auth*File and Require directives
in .htaccess files within the above scope -- you don't know.

>         <Directory /my/secrets>
>         AuthType        basic
>         AuthName        Restricted area
>         <Limit POST>
>                 require valid-user
>         </Limit>
>         </Directory>
> 
> Same here when using a GET. (Note - I've not even started with 'allow
> from' or 'satisfy any complexity).

Do exactly what it says to do, no more and no less: only apply
restrictions for POST requests.  Maybe it isn't what they intended,
but trying to be smarter that the user will not only get us in
trouble, but will also treble the confusion and support queries in
an already confusing area.
-- 
#ken	P-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist      http://Apache-Server.Com/

"Millennium hand and shrimp!"

RE: Auth - what should happen

Posted by Jeroen Massar <je...@unfix.org>.

dirkx@covalent.net [mailto:dirkx@covalent.net] wrote:

> Opinions - not on what happens to day in 1.3 but what should 
> happen in a
> perfect world:
> 
> Given a config like this:
> 
> 	<Directory /my/secrets>
> 	AuthType 	basic
> 	AuthName	Restricted area
> 	</Directory>
> 
> What should happen ? Allowed in with, or without a password ? 
> What would users feel as most logical ?
They want it to be open probably, unless you got security
savvy types, they want it closed.
In order words: Default Policy Closed

If it doesn't serve content people will notice,
people will complain, people will fix.
If it by default serves content, it could be content that
people didn't want to serve at all.

> 
> Then
> 	<Directory /my/secrets>
> 	AuthType 	basic
> 	AuthName	Restricted area
> 	<Limit POST>
> 		require valid-user
> 	</Limit>
> 	</Directory>
> 
> Same here when using a GET. (Note - I've not even started with 'allow
> from' or 'satisfy any complexity).

Maybe introduce a "LimitPolicy Deny"
But we got "Order deny,allow" for that.
If we take into consideration that "Order" defaults to "deny,allow"
one would end up:
 - Allowing POST to valid-user.
 - Denying anything else.

Greets,
 Jeroen