Optional authentication / dynamic Require

[Marius Gavrilescu <ma...@ieval.ro>]

I have a directory with subdirectories which are either:
- public, which means everybody (even unauthenticated users) should be
able to view them.
- private, which means only authenticated users who are also admins
should be able to view them.

What I've tried is:

	<Directory /path/to/parent/directory/*/>
		AuthName MyApp
		PerlSetVar AuthenPassphraseRootdir /path/to/wherever
		PerlSetVar AuthzCapsRootdir /path/to/wherever
		PerlAuthenHandler Apache2::Authen::Passphrase
		PerlAuthzHandler Apache2::AuthzCaps
	
		PerlAuthzHandler MyApp::private
		Require admin-if-private
	</Directory>

where MyApp::private looks like (simplified):

	sub resource_is_private { ... }
	sub is_admin { ... }
	
	sub private{
	  my $r = shift;
	
	  for my $requirement (map { $_->{requirement} } @{$r->requires}) {
		my ($command, @args) = split ' ', $requirement;
	
		given ($command){
		  when('admin-if-private'){
			return OK if !resource_is_private || ($r->user && is_admin $r->user)
		  }
	
		}
	  }
	
	  DECLINED
	}

However, apache2 asks for authentication for access to any subdirectory
(because of the Require directive), and denies access if the user
does not provide valid credentials.

One idea I had is to drop the require, and write a PerlInitHandler that
checks if the subdirectory is private and if yes it tells apache2 to
request authentication (but I don't know how to do this).

Another is to add a dummy PerlAuthenHandler that returns OK if the
subdirectory is public, and DECLINED otherwise. But it would have to run
before the other authentication handler, and I don't know how to order
handlers (Do the handlers run in the order of the Perl*Handler
directives? If yes, is this documented somewhere or may it change in a
future release?).
-- 
Marius Gavrilescu