At 3:57 PM -0500 2006/11/03, Joshua Slive wrote:
On 11/3/06, Rich Bowen <[EMAIL PROTECTED]> wrote:
On Nov 3, 2006, at 15:33, [EMAIL PROTECTED] wrote:
Here are some proposed definitions:
Order Allow, Deny: Initially a flag for each incoming URL is set
to Deny. Then all Allow directives (i.e. "Allow foobar.org") are
applied followed by all Deny directives regardless or which order
the Allow and Deny directives appear after the Order directive.
Order Deny, Allow: Initially a flag for each incoming URL is set
to Allow. Then all Deny directives (i.e. "Allow foobar.org") are
applied followed by all Allow directives regardless of which order
the Allow and Deny directives appear after the Order directive.
+1. These are an improvement over what we have, and will alleviate
much confusion.
I'm all for improvements, but this suggestions has lots of problem:
- No space after the comma between Allow and Deny.
- "for each incoming URL" is superfluous and confusing.
- The mini example "(i.e. ...)" doesn't add anything
- Why introduce the concept of a "flag"? I think it just obscures things.
- It doesn't solve Chris' initially reported confusion, which is that
it needs to be specified that the last evaluated directive wins.
How about:
Deny,Allow
The access state is initially set to <em>allowed</em>. The Deny
directives are then evaluated, followed by the Allow directives, with
the last matching directive setting the final access state. Clients
are allowed access if they do not match any Deny directive
<strong>or</strong> they do match an Allow directive.
Allow,Deny
The access state is initially set to <em>denied</em>. The allow
directives are then evaluated, followed by the Deny directives, with
the last matching directive setting the final access state. Clients
are allowed access if they do not match any Deny directive
<strong>and</strong> they do match an allow directive.
I think there should be some explanation of the names (at
least to help remember what they are). How's this?
The Allow and Deny directives (and the Order directive) control a
three-pass access control method. The first pass processes all Allow
or Deny directives, as specified by the Order directive. The second
pass parses the rest of the directives (Deny or Allow). The third
"default" pass applies to all requests which do not match either of
the first two.
Note that Allow and Deny directives are processed <strong>in
ascending order</strong>, unlike a typical firewall, where only the
first match counts. Additionally, the order in which lines appear in
the configuration files is not significant -- all Allow lines are
processed as a group, and all Deny lines are considered together.
Allow,Deny
First, all Allow directives are evaluated; at least one must match,
or the request is rejected. Next, all Deny directives are evaluated.
If any matches, the request is rejected. Last, any requests which do
not match an Allow or a Deny directive are denied by default.
Deny,Allow
First, all Deny directives are evaluated; if any match, the request
is denied <strong>unless</strong> it also matches an Allow directive.
Any requests which do not match any Allow or Deny directives are
permitted.
Chris
--
Chris Pepper: <http://www.reppep.com/~pepper/>
<http://www.reppep.com/weblog/pepper/>
Rockefeller University: <http://www.rockefeller.edu/>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
