Re: 401 response with reject ip?

Wed, 26 Jul 2006 08:24:44 -0700 

>>> On 7/26/2006 at 9:11 AM, in message <[EMAIL PROTECTED]>,
Ruediger
Pluem <[EMAIL PROTECTED]> wrote:

>>>>>On Mon, Jul 24, 2006 at  9:02 AM, in message
<[EMAIL PROTECTED]>,
>>    Well, I think that the following patch in mod_authz_core.c fixes
the 
> problem that you are looking at:
>> 
>> @@ -628,16 +633,25 @@
>> 
>>          switch (auth_result) {
>>              case AUTHZ_DENIED:
>> +            case AUTHZ_NEUTRAL:
> 
> It seems that this patch is incomplete as AUTHZ_NEUTRAL is not
defined.
> Furthermore doesn't mod_authz_host has to return AUTHZ_NEUTRAL?

Sorry, AUTHZ_NEUTRAL was part of a follow-on patch that I am working
on.  It shouldn't have been part of this patch.



>> However, this brings up the question, what does "reject" actually
mean?  
> "Require" means that if true then authorization
>> is granted otherwise authorization is denied.  "Reject" obviously
means that 
> if true, then authorization is denied but
>> it does not necessarily mean the opposite.  So in the case that you
defined:
>> 
>> 
>>><location />
>>>  reject ip 127.0.0.1
>>></location>
>> 
>> 
>> obviously if the request is coming from 127.0.0.1 then the request
is 
> denied.  But if the request comes from some other
>> ip address, is authorization automatically granted?  I don't think
it is.  
> There still needs to be a "Require" statement
>> in the configuration somewhere.
> 
> It does give me access when I get there from an IP != 127.0.0.1
without any
> further require directive. I don't know if this is works as designed
or a 
> bug.

At this point I consider it to be a bug.  This is the patch that I am
currently working on that includes the use of AUTHZ_NEUTRAL return code.
 I think that if the reject condition is satisfied then the request
should definitely be denied however I don't think that reject should
ever grant authorization.  I think that the correct configuration for
your example should be

<location />
  require all granted
  reject ip 127.0.0.1
</location>

If you wanted it to work as it is now.  This would basically be the
same as

<location />
  order allow,deny
  deny from 127.0.0.1
</location>

under 2.2 configuration syntax

Brad

Reply via email to