On 8/29/07, Brad Nicholes <[EMAIL PROTECTED]> wrote:
> > To clarify; I understand not duplicating valid-user, but the other
> > authz modules know to decline when they haven't seen a single
> > requirement they grok, which allows mod_authz_user to authorize the
> > request in the case of "Require valid-user". I don't think the
> > coupling is a factor there.
>
>
> No, all of the authz modules should be working the same. They
> all have an AuthzXXXAuthoritative directive which defaults to
> ON. The problem with 2.0 and 2.2 is that if you load multiple
> authz modules and try to use multiple require statements, you
> have no guarantee as to which authz handler will get called
> first. So it might look like authz_XXX module is DECLINEing
> and allowing authz_user's "Require valid-user" to handle the
> authorization, when in fact the authz_XXX handler was never
> called at all.
In 2.2.x If authz_XXX are one of dbm, owner, or groupfile they track
the list of requires and decline if they don't see any they're
responsible for -- this isn't a crap shoot of module ordering in this
case.
$ grep \!required *.c
mod_authz_dbm.c: if (!required_group || !conf->authoritative) {
mod_authz_groupfile.c: if (!required_group || !conf->authoritative) {
mod_authz_owner.c: if (!required_owner || !conf->authoritative) {
mod_authz_user.c: if (!required_user) {
That roughly leaves authz_host, authz_default, and authnz_ldap.
authz_host has a built-in default based on Order, and authz_default
doesn't have any Requires to check -- leaving authnz_ldap as the odd
man out.
--
Eric Covener
[EMAIL PROTECTED]
