From: Stefan Fritsch <sf@apache.org>
Date: Thu, 30 Sep 2010 17:37:55 +0000 (+0000)
Subject: add a bit of doc for the new authz providers
X-Git-Tag: 2.3.9~382
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b2a906c8afea7ebec1d7e6c248e5c6bdc541d38b;p=thirdparty%2Fapache%2Fhttpd.git

add a bit of doc for the new authz providers


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1003180 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_authz_core.html.en b/docs/manual/mod/mod_authz_core.html.en
index 70d8eb2278c..dbb92ace8fe 100644
--- a/docs/manual/mod/mod_authz_core.html.en
+++ b/docs/manual/mod/mod_authz_core.html.en
@@ -247,6 +247,21 @@
 
   
 
+  <h3><a name="reqexpr" id="reqexpr">Require expr</a></h3>
+
+  <p>The <code>expr</code> provider allows to base authorization
+  decisions on arbitrary expressions.</p>
+
+    <div class="example"><p><code>
+        Require expr %{TIME_HOUR} &gt;= 9 &amp; %{TIME_HOUR} &lt;= 17 <br />
+    </code></p></div>
+
+    <p>TODO: Include a link to a description of the ap_expr syntax, once we have
+        such a description.</p>
+
+  
+
+
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="AuthMerging" id="AuthMerging">AuthMerging</a> <a name="authmerging" id="authmerging">Directive</a></h2>
@@ -374,6 +389,9 @@ an authorization provider.</td></tr>
       <dt><code>Require method <var>http-method</var> [<var>http-method</var>]
       ...</code></dt>
       <dd>Access is allowed only for the given HTTP methods.</dd>
+
+      <dt><code>Require expr <var>expression</var> </code></dt>
+      <dd>Access is allowed if <var>expression</var> evaluates to true.</dd>
     </dl>
 
     <p>Some of the allowed syntaxes provided by <code class="module"><a href="../mod/mod_authz_user.html">mod_authz_user</a></code>
@@ -395,8 +413,8 @@ an authorization provider.</td></tr>
     <p>Other authorization modules that implement require options
     include <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code>,
     <code class="module"><a href="../mod/mod_authz_dbm.html">mod_authz_dbm</a></code>, <code class="module"><a href="../mod/mod_authz_dbd.html">mod_authz_dbd</a></code>, 
-    <code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code>, and
-    <code class="module"><a href="../mod/mod_authz_owner.html">mod_authz_owner</a></code>.</p>
+    <code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code>, 
+    <code class="module"><a href="../mod/mod_authz_owner.html">mod_authz_owner</a></code> and <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p>
 
     <p>In most cases, for a complete authentication and authorization
     configuration, <code class="directive">Require</code> must be accompanied by
diff --git a/docs/manual/mod/mod_authz_core.xml b/docs/manual/mod/mod_authz_core.xml
index 29afa25d56f..1a29a8d693a 100644
--- a/docs/manual/mod/mod_authz_core.xml
+++ b/docs/manual/mod/mod_authz_core.xml
@@ -232,6 +232,21 @@
 
   </section>
 
+  <section id="reqexpr"><title>Require expr</title>
+
+  <p>The <code>expr</code> provider allows to base authorization
+  decisions on arbitrary expressions.</p>
+
+    <example>
+        Require expr %{TIME_HOUR} &gt;= 9 &amp; %{TIME_HOUR} &lt;= 17 <br />
+    </example>
+
+    <p>TODO: Include a link to a description of the ap_expr syntax, once we have
+        such a description.</p>
+
+  </section>
+
+
 </section>
 
 <directivesynopsis>
@@ -265,6 +280,9 @@ an authorization provider.</description>
       <dt><code>Require method <var>http-method</var> [<var>http-method</var>]
       ...</code></dt>
       <dd>Access is allowed only for the given HTTP methods.</dd>
+
+      <dt><code>Require expr <var>expression</var> </code></dt>
+      <dd>Access is allowed if <var>expression</var> evaluates to true.</dd>
     </dl>
 
     <p>Some of the allowed syntaxes provided by <module>mod_authz_user</module>
@@ -286,8 +304,8 @@ an authorization provider.</description>
     <p>Other authorization modules that implement require options
     include <module>mod_authnz_ldap</module>,
     <module>mod_authz_dbm</module>, <module>mod_authz_dbd</module>, 
-    <module>mod_authz_host</module>, and
-    <module>mod_authz_owner</module>.</p>
+    <module>mod_authz_host</module>, 
+    <module>mod_authz_owner</module> and <module>mod_ssl</module>.</p>
 
     <p>In most cases, for a complete authentication and authorization
     configuration, <directive>Require</directive> must be accompanied by
diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en
index d5702c3e6ef..10b2be413bd 100644
--- a/docs/manual/mod/mod_ssl.html.en
+++ b/docs/manual/mod/mod_ssl.html.en
@@ -92,6 +92,7 @@ to provide the cryptography engine.</p>
 <li><img alt="" src="../images/down.gif" /> <a href="#envvars">Environment Variables</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#logformats">Custom Log Formats</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#notes">Request Notes</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#authzproviders">Authorization providers for use with Require</a></li>
 </ul></div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="section">
@@ -237,6 +238,42 @@ string in <code class="module"><a href="../mod/mod_log_config.html">mod_log_conf
   for the current connection, the note is not set.</dd>
 </dl>
 
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="authzproviders" id="authzproviders">Authorization providers for use with Require</a></h2>
+
+  <p><code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> provides a few authentication providers for use
+  with <code class="module"><a href="../mod/mod_authz_core.html">mod_authz_core</a></code>'s
+  <code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code> directive.</p>
+
+  <h3><a name="reqssl" id="reqssl">Require ssl</a></h3>
+
+    <p>The <code>ssl</code> provider denies access if a connection is not
+       encrypted with SSL. This is similar to the
+       <code class="directive">SSLRequireSSL</code> directive.</p>
+
+    <div class="example"><p><code>
+      Require ssl
+    </code></p></div>
+
+  
+
+  <h3><a name="reqverifyclient" id="reqverifyclient">Require ssl-verify-client</a></h3>
+
+    <p>The <code>ssl</code> provider allows access if the user is
+       authenticated with a valid client certificate. This is only
+       useful if <code>SSLVerifyClient optional</code> is in effect.</p>
+
+    <p>The following example grants access if the user is authenticated
+       either with a client certificate or by username and password.</p>
+
+    <div class="example"><p><code>
+      Require ssl-verify-client<br />
+      Require valid-user
+    </code></p></div>
+
+  
+
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="SSLCACertificateFile" id="SSLCACertificateFile">SSLCACertificateFile</a> <a name="sslcacertificatefile" id="sslcacertificatefile">Directive</a></h2>
@@ -1535,12 +1572,6 @@ This directive specifies a general access requirement which has to be
 fulfilled in order to allow access. It is a very powerful directive because the
 requirement specification is an arbitrarily complex boolean expression
 containing any number of access checks.</p>
-<div class="warning">
-<p>The implementation of <code>SSLRequire</code> is not thread safe.  
-   Using <code>SSLRequire</code> inside <code>.htaccess</code> files
-   on a threaded <a href="../mpm.html">MPM</a> may cause random crashes.
-</p>
-</div>
 <p>
 The <em>expression</em> must match the following syntax (given as a BNF
 grammar notation):</p>
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index b126d606724..403193ea681 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -189,6 +189,42 @@ string in <module>mod_log_config</module>.</p>
 
 </section>
 
+<section id="authzproviders"><title>Authorization providers for use with Require</title>
+
+  <p><module>mod_ssl</module> provides a few authentication providers for use
+  with <module>mod_authz_core</module>'s
+  <directive module="mod_authz_core">Require</directive> directive.</p>
+
+  <section id="reqssl"><title>Require ssl</title>
+
+    <p>The <code>ssl</code> provider denies access if a connection is not
+       encrypted with SSL. This is similar to the
+       <directive>SSLRequireSSL</directive> directive.</p>
+
+    <example>
+      Require ssl
+    </example>
+
+  </section>
+
+  <section id="reqverifyclient"><title>Require ssl-verify-client</title>
+
+    <p>The <code>ssl</code> provider allows access if the user is
+       authenticated with a valid client certificate. This is only
+       useful if <code>SSLVerifyClient optional</code> is in effect.</p>
+
+    <p>The following example grants access if the user is authenticated
+       either with a client certificate or by username and password.</p>
+
+    <example>
+      Require ssl-verify-client<br/>
+      Require valid-user
+    </example>
+
+  </section>
+
+</section>
+
 <directivesynopsis>
 <name>SSLPassPhraseDialog</name>
 <description>Type of pass phrase dialog for encrypted private 
@@ -1192,12 +1228,6 @@ This directive specifies a general access requirement which has to be
 fulfilled in order to allow access. It is a very powerful directive because the
 requirement specification is an arbitrarily complex boolean expression
 containing any number of access checks.</p>
-<note type="warning">
-<p>The implementation of <code>SSLRequire</code> is not thread safe.  
-   Using <code>SSLRequire</code> inside <code>.htaccess</code> files
-   on a threaded <a href="../mpm.html">MPM</a> may cause random crashes.
-</p>
-</note>
 <p>
 The <em>expression</em> must match the following syntax (given as a BNF
 grammar notation):</p>