You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by André Malo <nd...@perlig.de> on 2002/07/22 01:07:41 UTC
httpd-2.0 and Auth*Authoritative
Hi,
[posted this to de.ciws and later ciwsu several days ago, but got no
response up to now]
Sorry, if I'm off-topic here:
'AuthAuthoritative off' and related give the possibility to put some
auth modules into a chain. But it seems that this directive is not very
useful in conjunction with the 2.0 API.
I stepped through the code, especially the following files:
modules/mod_auth.c,
modules/mod_auth_dbm.c,
modules/mod_auth_anon.c und
srclib/apr-util/hooks/apr_hooks.c
Per default all modules register the check_user_id hook at
APR_HOOK_MIDDLE relative position, i.e. the auth-module-ordering is more
or less done randomly (because they're sorted in apr_hooks.c/prepare()
by a qsort call).
So I can only /test/, but not influence at runtime, how the modules are
ordered at startup.
However, the test result may be moved to /dev/null if someone
changes the LoadModule-directives (by adding or removing some modules,
that register the check_user_id hook, too).
Now my question ;-):
Did I understand the code right? Or do I miss anything important?
TIA, nd
--
$_=q?tvc!uif)%*|#Bopuifs!A`#~tvc!Xibu)%*|qsjou#Kvtu!A`#~tvc!KBQI!)*|~
tvc!ifmm)%*|#Qfsm!A`#~tvc!jt)%*|(Ibdlfs(~ # What the hell is JAPH? ;
@_=split/\s\s+#/;$_=(join''=>map{chr(ord( # André Malo ;
$_)-1)}split//=>$_[0]).$_[1];s s.*s$_see; # http://www.perlig.de/ ;
Re: httpd-2.0 and Auth*Authoritative
Posted by di...@covalent.net.
> I have often spoke of having a per directory/location ordering of auth
> handleres. This would allow you to load a bunch of auth handler modules,
> then in a given directory elect which ones are run, and what order they
> run in (and the last one would be assumed authoritatve perhaps).
That would be -very- usefull. And not just for auth - also for modules
rewriting. So perhaps a per hook order control. Of course there are some
chicken egg issues with this !
Dw.
Re: httpd-2.0 and Auth*Authoritative
Posted by di...@covalent.net.
> having different orderings/groupings for different parts of the server.
> But true - My proposal above would be to elminate any dependency on
> module load order and remove all the Authoritative stuff.
Aye - something like
AuthOrder mod_auth_db, mod_auth_cookie, mod_auth
AccessOrder mod_access, mod_auth
FxiUpOrder ...,...
And similar for the other hooks.
Dw
Re: httpd-2.0 and Auth*Authoritative
Posted by jo...@sterls.com.
On Sun, 21 Jul 2002 dirkx@covalent.net wrote:
>
> > I have often spoke of having a per directory/location ordering of auth
> > handleres. This would allow you to load a bunch of auth handler modules,
> > then in a given directory elect which ones are run, and what order they
> > run in (and the last one would be assumed authoritatve perhaps).
>
> Actually - this of course depend as to wether you compile static or
> dynamic, then there is the LoadModule/ClearModuleList/AddModule trickery
> and not to forget the fine-tuning that one can do when registering the
> hooks. If anything I'd say that this has too many tunable nobs !
That is assuming all the auth modules you wish to use are hooked the same
(e.g. middle) at the time they were compiled. And it doesn't allow for
having different orderings/groupings for different parts of the server.
But true - My proposal above would be to elminate any dependency on
module load order and remove all the Authoritative stuff.
sterling
Re: httpd-2.0 and Auth*Authoritative
Posted by di...@covalent.net.
> I have often spoke of having a per directory/location ordering of auth
> handleres. This would allow you to load a bunch of auth handler modules,
> then in a given directory elect which ones are run, and what order they
> run in (and the last one would be assumed authoritatve perhaps).
Actually - this of course depend as to wether you compile static or
dynamic, then there is the LoadModule/ClearModuleList/AddModule trickery
and not to forget the fine-tuning that one can do when registering the
hooks. If anything I'd say that this has too many tunable nobs !
Dw.
Re: httpd-2.0 and Auth*Authoritative
Posted by jo...@sterls.com.
On Mon, 22 Jul 2002, [ISO-8859-1] Andr� Malo wrote:
> Hi,
>
> 'AuthAuthoritative off' and related give the possibility to put some
> auth modules into a chain. But it seems that this directive is not very
> useful in conjunction with the 2.0 API.
AuthAuthoritative is really just a way to tell mod_auth to return DECLINED
instead of UNAUTHORIZED (or visa versa) to allow other modules who HAPPEN
to be loaded after mod_auth to be called as well in the case mod_auth
either cannot, or does not, authorize the user.
This is, as you imply, really not very useful since modules are ordered at
compile time - so you cannot determine the order of the modules at run
time. There has been a lot of bantering about 'better' ways of doing this
- and suggestions are welcome.
I have often spoke of having a per directory/location ordering of auth
handleres. This would allow you to load a bunch of auth handler modules,
then in a given directory elect which ones are run, and what order they
run in (and the last one would be assumed authoritatve perhaps).
sterling