https://bz.apache.org/bugzilla/show_bug.cgi?id=65145
Bug ID: 65145
Summary: ambiguities in mod/mod_authz_core.html
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
Assignee: docs@httpd.apache.org
Reporter: calestyo@scientia.net
Target Milestone: ---
Hey.
Reading through mod/mod_authz_core.html there seem to be a number of
ambiguities or crucial points missing:
1) Tri-State authz
There is no real single place, where it's properly explained, that
authorization isn't just binary (allow, deny) but tri-state (allow, deny,
neutral), for each level (i.e. single Requires, RequireAll/Any/None).
It's only kinda scattered over the Require/RequireAll/Any/None.
2) "AuthMerging Directive" talks about:
"When authorization is enabled" ... however, authorization must be always
enabled, at least as a concept, so that either requests are granted or denied.
3) There doesn't seem to be any explanation at what happens if none of
directives are used (e.g. no Require at all). Is the Request granted? Is it
denied?
Same when the overall result would be neutral? Granted? Denied?
"The result of the Require directive may be negated through the use of the not
option. As with the other negated authorization directive <RequireNone>, when
the Require directive is negated it can only fail or return a neutral result,
and therefore may never independently authorize a request."
=> kinda implies that only an explicit "success" result would allow access,
i.e. not having any Require at all would effectively deny all
However mod/core.html#directory claims:
"Note that the default access for <Directory "/"> is to permit all access. This
means that Apache httpd will serve any file mapped from an URL. It is
recommended that you change this with a block such as"
4) Maybe I miss some point but the Example in "Creating Authorization Provider
Aliases" seems buggy:
"This example allows a single authorization location to check group membership
within multiple ldap hosts:"
but then it has:
Require all granted
...
Require ldap-group-alias1
Require ldap-group-alias2
Aren't these all AllowAny'ed and thus the result is always allow and the later
two even ignored?
Cheers,
Chris.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Bug ID: 65145
Summary: ambiguities in mod/mod_authz_core.html
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
Assignee: docs@httpd.apache.org
Reporter: calestyo@scientia.net
Target Milestone: ---
Hey.
Reading through mod/mod_authz_core.html there seem to be a number of
ambiguities or crucial points missing:
1) Tri-State authz
There is no real single place, where it's properly explained, that
authorization isn't just binary (allow, deny) but tri-state (allow, deny,
neutral), for each level (i.e. single Requires, RequireAll/Any/None).
It's only kinda scattered over the Require/RequireAll/Any/None.
2) "AuthMerging Directive" talks about:
"When authorization is enabled" ... however, authorization must be always
enabled, at least as a concept, so that either requests are granted or denied.
3) There doesn't seem to be any explanation at what happens if none of
directives are used (e.g. no Require at all). Is the Request granted? Is it
denied?
Same when the overall result would be neutral? Granted? Denied?
"The result of the Require directive may be negated through the use of the not
option. As with the other negated authorization directive <RequireNone>, when
the Require directive is negated it can only fail or return a neutral result,
and therefore may never independently authorize a request."
=> kinda implies that only an explicit "success" result would allow access,
i.e. not having any Require at all would effectively deny all
However mod/core.html#directory claims:
"Note that the default access for <Directory "/"> is to permit all access. This
means that Apache httpd will serve any file mapped from an URL. It is
recommended that you change this with a block such as"
4) Maybe I miss some point but the Example in "Creating Authorization Provider
Aliases" seems buggy:
"This example allows a single authorization location to check group membership
within multiple ldap hosts:"
but then it has:
Require all granted
...
Require ldap-group-alias1
Require ldap-group-alias2
Aren't these all AllowAny'ed and thus the result is always allow and the later
two even ignored?
Cheers,
Chris.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org