<limit>

You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Joshua Slive <jo...@slive.ca> on 2002/07/30 22:46:03 UTC
My comment about <limit> stirred up a little interest, as evidenced by
private emails.  So let me give a quick summary of the issues.  The
details are available at
http://httpd.apache.org/docs-2.0/mod/core.html#limit
(although the docs could probably use a little improvement).

This configuration
<Limit GET POST>
require valid-user
</Limit>
is pretty much always incorrect, because it says "require authentication
for the GET and POST methods, but leave all other methods (say, DELETE,
PUT, etc) unprotected".  In almost all cases, what people really want is
just to drop the <Limit GET POST> and </Limit> lines entirely, and thereby
let the "require valid-user" apply to all methods.

Now, there is a legitimate use of <limit>: if you need to restrict some
methods differently than others.  So, for example, if you are using DAV to
allow publishing content to your server, you may wish to allow everyone to
read the content, but only allow particular people to write it.  But in
this case, it is still best to not use <limit>, because it requires an
exhaustive list of all possible methods.  For example, what if you
limitted a bunch of methods, but then upgraded your server to allow an
additional method and forgot to add it to all your <limit> lines.
Instead, you should use <limitexcept>, as in

<LimitExcept GET OPTIONS>
require valid-user
</LimitExcept>

which enforces authentication on all methods except GET and OPTIONS (and
implicitly HEAD).

My recommendation is as follows: 1) Always use <LimitExcept> (or no
<limit*> at all) when restricting access.  2) Use <Limit> if you want to
allow additional access to particular methods only, or in combination with
<LimitExcept> as in (silly example):

<LimitExcept GET>
require user usera
</LimitExcept>
<Limit GET>
require user userb
</Limit>

In general, <Limit> should almost never be used, and <LimitExcept> used
only when specifically needed.

Joshua.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org