On Wed, Jul 31, 2013 at 8:02 AM, Mikhail T. <[email protected]> wrote: > As a minimum, testing the subsequent children of RequireAll after one of > them already responded with "denied" seems like a bug...
I'm not sure about the AuthMerging but I can say that trying the "tiv expiration" is not a bug. First of all you should understand that authz providers are called TWICE. The general process for authz handling is as such: 1) authz providers are called before authentication is processed to check for anonymous access (i.e. r->user == NULL). If the resulting response is AUTHZ_GRANTED then access is provided and no other authn/authz processing occurs. If the resulting response is AUTHZ_DENIED or AUTHZ_NEUTRAL then the request is provided with HTTP_FORBIDDEN. If the resulting response is AUTHZ_DENIED_NO_USER then processing continues. 2) authentication is processed. r->user gets set. Errors out here if the user can't authenticate. 3) authz providers are called this time with r->user set. If the result is AUTHZ_GRANTED then access is granted and http starts the work to server the request. If AUTHZ_DENIED_USER HTTP_UNAUTHORIZED is returned. If AUTHZ_DENIED_ or AUTHZ_NEUTRAL then the response is HTTP_FORBIDDEN. Your log shows: "authorization result of Require tiv ipaddress: denied (no authenticated user yet)" This only happens when your module returns AUTHZ_DENIED_NO_USER. If you return this value httpd must call into each module since one of your RequireAll directives might be able to return AUTHZ_DENIED and then we would need to deny the request without going through the authn processing or the second authz pass. A good way of thinking of this is that with RequireAll and RequireNone the priority of response codes are: AUTHZ_GENERAL_ERROR (immediate return) AUTHZ_DENIED (short-circuits other siblings and continues with processing) AUTHZ_DENIED_NO_USER AUTHZ_GRANTED AUTHZ_NEUTRAL RequireAny: AUTHZ_GENERAL_ERROR (immediate return) AUTHZ_GRANTED (short-circuits other siblings and continues with processing) AUTHZ_DENIED_NO_USER AUTHZ_DENIED AUTHZ_NEUTRAL
