You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2010/09/30 19:37:55 UTC
svn commit: r1003180 - in /httpd/httpd/trunk/docs/manual/mod:
mod_authz_core.html.en mod_authz_core.xml mod_ssl.html.en mod_ssl.xml
Author: sf
Date: Thu Sep 30 17:37:55 2010
New Revision: 1003180
URL: http://svn.apache.org/viewvc?rev=1003180&view=rev
Log:
add a bit of doc for the new authz providers
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_authz_core.html.en
httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_core.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_core.html.en?rev=1003180&r1=1003179&r2=1003180&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_core.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_core.html.en Thu Sep 30 17:37:55 2010
@@ -247,6 +247,21 @@
+ <h3><a name="reqexpr" id="reqexpr">Require expr</a></h3>
+
+ <p>The <code>expr</code> provider allows to base authorization
+ decisions on arbitrary expressions.</p>
+
+ <div class="example"><p><code>
+ Require expr %{TIME_HOUR} >= 9 & %{TIME_HOUR} <= 17 <br />
+ </code></p></div>
+
+ <p>TODO: Include a link to a description of the ap_expr syntax, once we have
+ such a description.</p>
+
+
+
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthMerging" id="AuthMerging">AuthMerging</a> <a name="authmerging" id="authmerging">Directive</a></h2>
@@ -374,6 +389,9 @@ an authorization provider.</td></tr>
<dt><code>Require method <var>http-method</var> [<var>http-method</var>]
...</code></dt>
<dd>Access is allowed only for the given HTTP methods.</dd>
+
+ <dt><code>Require expr <var>expression</var> </code></dt>
+ <dd>Access is allowed if <var>expression</var> evaluates to true.</dd>
</dl>
<p>Some of the allowed syntaxes provided by <code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code>
@@ -395,8 +413,8 @@ an authorization provider.</td></tr>
<p>Other authorization modules that implement require options
include <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>,
<code class="module"><a href="../mod/mod_authz_dbm.html">mod_authz_dbm</a></code>, <code class="module"><a href="../mod/mod_authz_dbd.html">mod_authz_dbd</a></code>,
- <code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code>, and
- <code class="module"><a href="../mod/mod_authz_owner.html">mod_authz_owner</a></code>.</p>
+ <code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code>,
+ <code class="module"><a href="../mod/mod_authz_owner.html">mod_authz_owner</a></code> and <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p>
<p>In most cases, for a complete authentication and authorization
configuration, <code class="directive">Require</code> must be accompanied by
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml?rev=1003180&r1=1003179&r2=1003180&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml Thu Sep 30 17:37:55 2010
@@ -232,6 +232,21 @@
</section>
+ <section id="reqexpr"><title>Require expr</title>
+
+ <p>The <code>expr</code> provider allows to base authorization
+ decisions on arbitrary expressions.</p>
+
+ <example>
+ Require expr %{TIME_HOUR} >= 9 & %{TIME_HOUR} <= 17 <br />
+ </example>
+
+ <p>TODO: Include a link to a description of the ap_expr syntax, once we have
+ such a description.</p>
+
+ </section>
+
+
</section>
<directivesynopsis>
@@ -265,6 +280,9 @@ an authorization provider.</description>
<dt><code>Require method <var>http-method</var> [<var>http-method</var>]
...</code></dt>
<dd>Access is allowed only for the given HTTP methods.</dd>
+
+ <dt><code>Require expr <var>expression</var> </code></dt>
+ <dd>Access is allowed if <var>expression</var> evaluates to true.</dd>
</dl>
<p>Some of the allowed syntaxes provided by <module>mod_authz_user</module>
@@ -286,8 +304,8 @@ an authorization provider.</description>
<p>Other authorization modules that implement require options
include <module>mod_authnz_ldap</module>,
<module>mod_authz_dbm</module>, <module>mod_authz_dbd</module>,
- <module>mod_authz_host</module>, and
- <module>mod_authz_owner</module>.</p>
+ <module>mod_authz_host</module>,
+ <module>mod_authz_owner</module> and <module>mod_ssl</module>.</p>
<p>In most cases, for a complete authentication and authorization
configuration, <directive>Require</directive> must be accompanied by
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en?rev=1003180&r1=1003179&r2=1003180&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en Thu Sep 30 17:37:55 2010
@@ -92,6 +92,7 @@ to provide the cryptography engine.</p>
<li><img alt="" src="../images/down.gif" /> <a href="#envvars">Environment Variables</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#logformats">Custom Log Formats</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#notes">Request Notes</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#authzproviders">Authorization providers for use with Require</a></li>
</ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
@@ -237,6 +238,42 @@ string in <code class="module"><a href="
for the current connection, the note is not set.</dd>
</dl>
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="authzproviders" id="authzproviders">Authorization providers for use with Require</a></h2>
+
+ <p><code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> provides a few authentication providers for use
+ with <code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code>'s
+ <code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code> directive.</p>
+
+ <h3><a name="reqssl" id="reqssl">Require ssl</a></h3>
+
+ <p>The <code>ssl</code> provider denies access if a connection is not
+ encrypted with SSL. This is similar to the
+ <code class="directive">SSLRequireSSL</code> directive.</p>
+
+ <div class="example"><p><code>
+ Require ssl
+ </code></p></div>
+
+
+
+ <h3><a name="reqverifyclient" id="reqverifyclient">Require ssl-verify-client</a></h3>
+
+ <p>The <code>ssl</code> provider allows access if the user is
+ authenticated with a valid client certificate. This is only
+ useful if <code>SSLVerifyClient optional</code> is in effect.</p>
+
+ <p>The following example grants access if the user is authenticated
+ either with a client certificate or by username and password.</p>
+
+ <div class="example"><p><code>
+ Require ssl-verify-client<br />
+ Require valid-user
+ </code></p></div>
+
+
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLCACertificateFile" id="SSLCACertificateFile">SSLCACertificateFile</a> <a name="sslcacertificatefile" id="sslcacertificatefile">Directive</a></h2>
@@ -1535,12 +1572,6 @@ This directive specifies a general acces
fulfilled in order to allow access. It is a very powerful directive because the
requirement specification is an arbitrarily complex boolean expression
containing any number of access checks.</p>
-<div class="warning">
-<p>The implementation of <code>SSLRequire</code> is not thread safe.
- Using <code>SSLRequire</code> inside <code>.htaccess</code> files
- on a threaded <a href="../mpm.html">MPM</a> may cause random crashes.
-</p>
-</div>
<p>
The <em>expression</em> must match the following syntax (given as a BNF
grammar notation):</p>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1003180&r1=1003179&r2=1003180&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Thu Sep 30 17:37:55 2010
@@ -189,6 +189,42 @@ string in <module>mod_log_config</module
</section>
+<section id="authzproviders"><title>Authorization providers for use with Require</title>
+
+ <p><module>mod_ssl</module> provides a few authentication providers for use
+ with <module>mod_authz_core</module>'s
+ <directive module="mod_authz_core">Require</directive> directive.</p>
+
+ <section id="reqssl"><title>Require ssl</title>
+
+ <p>The <code>ssl</code> provider denies access if a connection is not
+ encrypted with SSL. This is similar to the
+ <directive>SSLRequireSSL</directive> directive.</p>
+
+ <example>
+ Require ssl
+ </example>
+
+ </section>
+
+ <section id="reqverifyclient"><title>Require ssl-verify-client</title>
+
+ <p>The <code>ssl</code> provider allows access if the user is
+ authenticated with a valid client certificate. This is only
+ useful if <code>SSLVerifyClient optional</code> is in effect.</p>
+
+ <p>The following example grants access if the user is authenticated
+ either with a client certificate or by username and password.</p>
+
+ <example>
+ Require ssl-verify-client<br/>
+ Require valid-user
+ </example>
+
+ </section>
+
+</section>
+
<directivesynopsis>
<name>SSLPassPhraseDialog</name>
<description>Type of pass phrase dialog for encrypted private
@@ -1192,12 +1228,6 @@ This directive specifies a general acces
fulfilled in order to allow access. It is a very powerful directive because the
requirement specification is an arbitrarily complex boolean expression
containing any number of access checks.</p>
-<note type="warning">
-<p>The implementation of <code>SSLRequire</code> is not thread safe.
- Using <code>SSLRequire</code> inside <code>.htaccess</code> files
- on a threaded <a href="../mpm.html">MPM</a> may cause random crashes.
-</p>
-</note>
<p>
The <em>expression</em> must match the following syntax (given as a BNF
grammar notation):</p>