On 07/29/2006 12:30 AM, Brad Nicholes wrote: > There is a new concept (directive) that has been added to the > authorization (access control) portion of the web server. This new concept > is "reject". Basically what this directive does is allow you to specify > conditions by which access or authorization is denied. The question I have > is how binding should "reject" be when found within a hierarchy set of > authorization rules? Given the following configuration for example: > > Alias /pages /www/pages > > <Directory /www/pages> > Reject ip 127.0.0.1 > </Directory> > > <Directory /www/pages/secure> > Authtype Basic > AuthName Something > AuthBasicProvider file > AuthUserFile /somewhere/usr.dat > > <SatisfyAll> > Require valid-user > Reject user joe > </SatisfyAll> > </Directory> > > > In this case is the user granted or denied access to the following URL: > > https://127.0.0.1/pages/secure > user: betty > > betty would be a valid user and the user name != joe but the ip is 127.0.0.1. > In other words if the authorization directives specified in both <Directory> > blocks are OR'ed together then authorization would be GRANTED since the > result of the second block is GRANTED. However if the blocks are AND'ed > together or the "reject" directive is definitive, then the result would be > DENIED. Under the current implementation the implied merge would be an OR > operation resulting in access GRANTED. So I guess my question is, should > "reject" be definitive? If a "reject" rule is ever encountered and > satisfied within the logic of authorization, is access automatically denied > no matter what any of the other rules might produce? I am leaning towards > 'yes, access should be denied'.
I guess we need something like the old satisfy any / satisfy all here. In old speak satisfy any would have granted betty access whereas satisfy all would have denied it. As you cannot build <SatisfyAll> <SatisfyOne> blocks across different Directory / Location containers I think we need to have a directive that decides how to merge (AND / OR) the authz result from the "parent" container with that from the current container. Regards RĂ¼diger
