You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ben Reser <be...@reser.org> on 2013/08/02 03:05:10 UTC

Re: Struggling with AuthMerging

On Wed, Jul 31, 2013 at 8:02 AM, Mikhail T. <mi...@aldan.algebra.com> wrote:
> As a minimum, testing the subsequent children of RequireAll after one of
> them already responded with "denied" seems like a bug...

I'm not sure about the AuthMerging but I can say that trying the "tiv
expiration" is not a bug.

First of all you should understand that authz providers are called
TWICE.   The general process for authz handling is as such:
1) authz providers are called before authentication is processed to
check for anonymous access (i.e. r->user == NULL).  If the resulting
response is AUTHZ_GRANTED then access is provided and no other
authn/authz processing occurs.  If the resulting response is
AUTHZ_DENIED or AUTHZ_NEUTRAL then the request is provided with
HTTP_FORBIDDEN.  If the resulting response is AUTHZ_DENIED_NO_USER
then processing continues.
2) authentication is processed.  r->user gets set.  Errors out here if
the user can't authenticate.
3) authz providers are called this time with r->user set.  If the
result is AUTHZ_GRANTED then access is granted and http starts the
work to server the request.  If AUTHZ_DENIED_USER HTTP_UNAUTHORIZED is
returned.  If AUTHZ_DENIED_ or AUTHZ_NEUTRAL then the response is
HTTP_FORBIDDEN.

Your log shows:
"authorization result of Require tiv ipaddress: denied (no
authenticated user yet)"

This only happens when your module returns AUTHZ_DENIED_NO_USER.  If
you return this value httpd must call into each module since one of
your RequireAll directives might be able to return AUTHZ_DENIED and
then we would need to deny the request without going through the authn
processing or the second authz pass.

A good way of thinking of this is that with RequireAll and RequireNone
the priority of response codes are:
AUTHZ_GENERAL_ERROR (immediate return)
AUTHZ_DENIED (short-circuits other siblings and continues with processing)
AUTHZ_DENIED_NO_USER
AUTHZ_GRANTED
AUTHZ_NEUTRAL

RequireAny:
AUTHZ_GENERAL_ERROR (immediate return)
AUTHZ_GRANTED (short-circuits other siblings and continues with processing)
AUTHZ_DENIED_NO_USER
AUTHZ_DENIED
AUTHZ_NEUTRAL