You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by di...@covalent.net on 2002/07/11 15:40:16 UTC
Auth - what should happen
Opinions - not on what happens to day in 1.3 but what should happen in a
perfect world:
Given a config like this:
<Directory /my/secrets>
AuthType basic
AuthName Restricted area
</Directory>
What should happen ? Allowed in with, or without a password ? What would
users feel as most logical ?
Then
<Directory /my/secrets>
AuthType basic
AuthName Restricted area
<Limit POST>
require valid-user
</Limit>
</Directory>
Same here when using a GET. (Note - I've not even started with 'allow
from' or 'satisfy any complexity).
Thanks,
Dw
--
Dirk-Willem van Gulik
Re: Auth - what should happen
Posted by di...@covalent.net.
> note that this situation is a bit different from the others since the
> apache core will pass ALL requirements (limited or not) to every auth
> module. Each individual auth module can make its own decision in this
> case (i.e. there are requirements for some methods and no requirements
> for other methods). This is along that grey line of 'this is how the
> "standard" auth modules deal with this situation' - not 'this is how auth
> will work in apache'.
But solving that would mean an overhaul of the require parsing; i.e. allow
modules to 'claim' those - akin to how they claim Directives.
Dw.
Re: Auth - what should happen
Posted by jo...@sterls.com.
On Mon, 22 Jul 2002, Rodent of Unusual Size wrote:
> dirkx@covalent.net wrote:
> >
...snip
> >
> > <Directory /my/secrets>
> > AuthType basic
> > AuthName Restricted area
> > <Limit POST>
> > require valid-user
> > </Limit>
> > </Directory>
> >
> > Same here when using a GET. (Note - I've not even started with 'allow
> > from' or 'satisfy any complexity).
>
> Do exactly what it says to do, no more and no less: only apply
> restrictions for POST requests. Maybe it isn't what they intended,
> but trying to be smarter that the user will not only get us in
> trouble, but will also treble the confusion and support queries in
> an already confusing area.
note that this situation is a bit different from the others since the
apache core will pass ALL requirements (limited or not) to every auth
module. Each individual auth module can make its own decision in this
case (i.e. there are requirements for some methods and no requirements
for other methods). This is along that grey line of 'this is how the
"standard" auth modules deal with this situation' - not 'this is how auth
will work in apache'.
sterling
Re: Auth - what should happen
Posted by di...@covalent.net.
> DON'T second-guess them. Since no restrictions have been put in place,
> don't try to apply any. There may be Auth*File and Require directives
> in .htaccess files within the above scope -- you don't know.
Good point - I'll change that in the version I have now.
Dw.
Re: Auth - what should happen
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
dirkx@covalent.net wrote:
>
> Opinions - not on what happens to day in 1.3 but what should happen in a
> perfect world:
>
> Given a config like this:
>
> <Directory /my/secrets>
> AuthType basic
> AuthName Restricted area
> </Directory>
>
> What should happen ? Allowed in with, or without a password ? What would
> users feel as most logical ?
DON'T second-guess them. Since no restrictions have been put in place,
don't try to apply any. There may be Auth*File and Require directives
in .htaccess files within the above scope -- you don't know.
> <Directory /my/secrets>
> AuthType basic
> AuthName Restricted area
> <Limit POST>
> require valid-user
> </Limit>
> </Directory>
>
> Same here when using a GET. (Note - I've not even started with 'allow
> from' or 'satisfy any complexity).
Do exactly what it says to do, no more and no less: only apply
restrictions for POST requests. Maybe it isn't what they intended,
but trying to be smarter that the user will not only get us in
trouble, but will also treble the confusion and support queries in
an already confusing area.
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"Millennium hand and shrimp!"
RE: Auth - what should happen
Posted by Jeroen Massar <je...@unfix.org>.
dirkx@covalent.net [mailto:dirkx@covalent.net] wrote:
> Opinions - not on what happens to day in 1.3 but what should
> happen in a
> perfect world:
>
> Given a config like this:
>
> <Directory /my/secrets>
> AuthType basic
> AuthName Restricted area
> </Directory>
>
> What should happen ? Allowed in with, or without a password ?
> What would users feel as most logical ?
They want it to be open probably, unless you got security
savvy types, they want it closed.
In order words: Default Policy Closed
If it doesn't serve content people will notice,
people will complain, people will fix.
If it by default serves content, it could be content that
people didn't want to serve at all.
>
> Then
> <Directory /my/secrets>
> AuthType basic
> AuthName Restricted area
> <Limit POST>
> require valid-user
> </Limit>
> </Directory>
>
> Same here when using a GET. (Note - I've not even started with 'allow
> from' or 'satisfy any complexity).
Maybe introduce a "LimitPolicy Deny"
But we got "Order deny,allow" for that.
If we take into consideration that "Order" defaults to "deny,allow"
one would end up:
- Allowing POST to valid-user.
- Denying anything else.
Greets,
Jeroen