On Thursday 15 July 2010, Ruediger Pluem wrote: > On 07/14/2010 09:59 PM, [email protected] wrote: > > Author: sf > > Date: Wed Jul 14 19:59:31 2010 > > New Revision: 964156 > > > > URL: http://svn.apache.org/viewvc?rev=964156&view=rev > > Log: > > The approach for allowing authorization by user or IP introduced > > in r956387, etc. causes problems because the authentication > > module calls note_*_auth_failure if authentication fails. This > > is inappropriate if access is later allowed because of the IP. > > > > So, instead of calling the auth_checker hook even if > > authentication failed, we introduce a new access_checker_ex hook > > that runs between the access_checker and the check_user_id > > hooks. If an access_checker_ex functions returns OK, the request > > will be allowed without authentication. > > > > To make use of this, change mod_authz_core to walk the require > > blocks in the access_checker_ex phase and deny/allow the request > > if the authz result does not depend on an authenticated user. To > > distinguish a real AUTHZ_DENIED from an authz provider from an > > authz provider needing an authenticated user, the latter must > > return the new AUTHZ_DENIED_NO_USER code. > > > > Modified: > > httpd/httpd/trunk/docs/manual/developer/new_api_2_4.xml > > httpd/httpd/trunk/include/ap_mmn.h > > httpd/httpd/trunk/include/http_request.h > > httpd/httpd/trunk/include/mod_auth.h > > httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c > > httpd/httpd/trunk/modules/aaa/mod_authz_core.c > > httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c > > httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c > > httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c > > httpd/httpd/trunk/modules/aaa/mod_authz_host.c > > httpd/httpd/trunk/modules/aaa/mod_authz_owner.c > > httpd/httpd/trunk/modules/aaa/mod_authz_user.c > > httpd/httpd/trunk/server/request.c > > > > Modified: httpd/httpd/trunk/modules/aaa/mod_authz_host.c > > URL: > > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_a > > uthz_host.c?rev=964156&r1=964155&r2=964156&view=diff > > ================================================================ > > ============== --- httpd/httpd/trunk/modules/aaa/mod_authz_host.c > > (original) +++ httpd/httpd/trunk/modules/aaa/mod_authz_host.c > > Wed Jul 14 19:59:31 2010 @@ -104,7 +104,7 @@ static authz_status > > env_check_authorizat > > > > } > > > > } > > > > - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, > > + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, > > Why changing to debug? > > > "access to %s failed, reason: env variable > > list does not meet " "'require'ments for user > > '%s' to be allowed access", r->uri, r->user); > > > > @@ -162,7 +162,7 @@ static authz_status ip_check_authorizati > > > > } > > > > } > > > > - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, > > + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, > > > > "access to %s failed, reason: ip address list > > does not meet " "'require'ments for user '%s' > > to be allowed access", r->uri, r->user); > > Why changing to debug? > > > @@ -197,7 +197,7 @@ static authz_status host_check_authoriza > > > > } > > > > } > > > > - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, > > + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, > > > > "access to %s failed, reason: host name > > list does not meet " "'require'ments for > > user '%s' to be allowed access", r->uri, > > r->user); > > Why changing to debug?
Because it's way too verbose in configurations where several Require directives are in a <RequireAny> block. In this case every Require that does not match would produce an ERROR-level log message, even if the request is finally allowed by a later Require directive. I would be ok with level INFO, too, but like DEBUG better. And people who need the info can still set "Loglevel authz_core:debug".
