On Sat, Nov 26, 2005 at 10:56:23AM -0700, Brad Nicholes wrote: > Speaking of authz rewrite, currently the directives 'authtype', > 'authname' and 'require' are all implemented in the core module. This > just doesn't seem like the right place for them so I am considering > moving the directives to mod_authz_host.
Just a thought (sorry if this has been suggested before): perhaps you could borrow some ideas from PAM. In PAM, each authentication module takes a turn, and its results can be marked as "sufficient" or "required". Using this model, "Satisfy All" could be Require valid-user required Allow from 192.168.1 required whilst "Satisfy Any" could be Require valid-user sufficient Allow from 192.168.1 sufficient Deny from all although the choice of keywords could be made a lot clearer,especially "require .. required"! IMO, "require..." and "allow..." are really just 'authorise by user' and 'authorise by host ip' respectively, so two cases of more or less the same thing. Also, I don't see why a single authorisation module couldn't be invoked more than once: Allow from 192.168.1 sufficient Allow from 192.168.4 sufficient Deny from 192.168 sufficient Allow from all would mean "deny from all 192.168 addresses except 192.168.1 and 192.168.4". A formulation like the above is something that I personally would find a lot easier to understand than the "order allow,deny" or "order deny,allow" stuff required now, which I have to look up *every* time I use it to make sure I get it the right way round :-) Another model to look at would be Exim ACLs. Essentially, each ACL condition can give an accept (2xx), reject (5xx) or defer (4xx) response. Then you build up ACLs such as accept condition1 condition2 condition3 (if all of condition1, condition2 and condition3 are true then the ACL terminates with an 'accept' condition. If any defer, then the ACL defers. Otherwise continue to the next ACL entry) reject condition1 condition2 (if both of condition1 and condition2 are true then the ACL terminates with a 'reject' condition) Regards, Brian.