You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ben Reser <be...@reser.org> on 2013/08/02 03:05:10 UTC
Re: Struggling with AuthMerging
On Wed, Jul 31, 2013 at 8:02 AM, Mikhail T. <mi...@aldan.algebra.com> wrote:
> As a minimum, testing the subsequent children of RequireAll after one of
> them already responded with "denied" seems like a bug...
I'm not sure about the AuthMerging but I can say that trying the "tiv
expiration" is not a bug.
First of all you should understand that authz providers are called
TWICE. The general process for authz handling is as such:
1) authz providers are called before authentication is processed to
check for anonymous access (i.e. r->user == NULL). If the resulting
response is AUTHZ_GRANTED then access is provided and no other
authn/authz processing occurs. If the resulting response is
AUTHZ_DENIED or AUTHZ_NEUTRAL then the request is provided with
HTTP_FORBIDDEN. If the resulting response is AUTHZ_DENIED_NO_USER
then processing continues.
2) authentication is processed. r->user gets set. Errors out here if
the user can't authenticate.
3) authz providers are called this time with r->user set. If the
result is AUTHZ_GRANTED then access is granted and http starts the
work to server the request. If AUTHZ_DENIED_USER HTTP_UNAUTHORIZED is
returned. If AUTHZ_DENIED_ or AUTHZ_NEUTRAL then the response is
HTTP_FORBIDDEN.
Your log shows:
"authorization result of Require tiv ipaddress: denied (no
authenticated user yet)"
This only happens when your module returns AUTHZ_DENIED_NO_USER. If
you return this value httpd must call into each module since one of
your RequireAll directives might be able to return AUTHZ_DENIED and
then we would need to deny the request without going through the authn
processing or the second authz pass.
A good way of thinking of this is that with RequireAll and RequireNone
the priority of response codes are:
AUTHZ_GENERAL_ERROR (immediate return)
AUTHZ_DENIED (short-circuits other siblings and continues with processing)
AUTHZ_DENIED_NO_USER
AUTHZ_GRANTED
AUTHZ_NEUTRAL
RequireAny:
AUTHZ_GENERAL_ERROR (immediate return)
AUTHZ_GRANTED (short-circuits other siblings and continues with processing)
AUTHZ_DENIED_NO_USER
AUTHZ_DENIED
AUTHZ_NEUTRAL