httpd-2.0 and Auth*Authoritative

httpd-2.0 and Auth*Authoritative

Post by Andr√© Mal » Sat, 20 Jul 2002 07:37:47


'AuthAuthoritative off' and related give the possibility to put some
auth modules into a chain. But it seems that this directive has a
problem with the 2.0 API.

I've looked through the code, especially the following files:

modules/mod_auth_anon.c und

Per default all modules register the check_user_id hook at
APR_HOOK_MIDDLE relative position, i.e. the auth-module-ordering is more
or less done randomly (because they're sorted in apr_hooks.c/prepare()
by a qsort call).

So I can only /test/, how the modules are ordered at startup.
However, the test result can be moved to /dev/null if someone
changes the LoadModule-directives (by adding or removing some modules,
that register the check_user_id hook, too)

Now my question ;-):
Did I understand the code right? Or do I miss anything important?

TIA, nd
s  s^saaaaaoaaaoaaaaooooaaoaaaomaaaa  a  alataa  aaoat  a  a
a maoaa a laoata  a  oia a o  a m a  o  alaoooat aaool aaoaa
matooololaaatoto  aaa o a  o ms;s;\s;s;g;y;s;:;s;y#mailto: #


1. DNS forward lookup also for HTTPD auth?

I understand how to configure NCSA's HTTPd to restrict access based on
client's domain-name.

However, I don't know if the authorization test is simply a reverse DNS
lookup, or, both reverse and forward lookups.

It seems that reverse lookup only would be quite easy to spoof...
so I am hoping that popular http servers perform forward lookup to
confirm the sanity of the reverse lookup.
And, specifically, does NCSA's HTTPd do this lookup confirmation?

Thank you for any comments.
John Ruckstuhl

2. Help with source RPMs (please...)

3. Matrox Mystique ands X.

4. Problems when passing filedescs between unrelated processes

5. Installing httpd to /var/httpd or to /usr/local/etc/httpd

6. SCSI CDrom: "Unable to identify CD-ROM Format" (works in DOS)

7. AUth DB/Auth DMB problems

8. How can I setup auto-respond on Suse 7.2 with sendmail ?

9. Apache Auth / Cookie auth

10. Syslogd not logging and auth.notice properly

11. Apache auth & deb auth problem?

12. separate access auth + Limit/PUT auth in same dir?

13. Help: term error, 'host not found, non-authoritative'