From 4add50908a90ccdd824a81a4d9360b22ff875305 Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Mon, 5 Dec 2016 19:39:40 +0000 Subject: [PATCH] Merge r1772758 from trunk: provide more access control migration hints current examples don't account for when access control overlaps with authentication. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772762 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/upgrading.xml | 88 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 85 insertions(+), 3 deletions(-) diff --git a/docs/manual/upgrading.xml b/docs/manual/upgrading.xml index 64580c69beb..f340fa310cb 100644 --- a/docs/manual/upgrading.xml +++ b/docs/manual/upgrading.xml @@ -153,7 +153,7 @@

Here are some examples of old and new ways to do the same access control.

-

In this example, all requests are denied.

+

In this example, there is no authentication and all requests are denied.

2.2 configuration: @@ -168,7 +168,7 @@ Deny from all -

In this example, all requests are allowed.

+

In this example, there is no authentication and all requests are allowed.

2.2 configuration: @@ -183,7 +183,7 @@ Allow from all -

In the following example, all hosts in the example.org domain +

In the following example, there is no authentication and all hosts in the example.org domain are allowed access; all other hosts are denied access.

@@ -257,6 +257,88 @@ access.log - GET /server-status 200 127.0.0.1

+

In many configurations with authentication, where the value of the + Satisfy was the default of ALL, snippets + that simply disabled host-based access control are omitted:

+ + + 2.2 configuration: + +Order Deny,Allow +Deny from all +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user + + + + 2.4 configuration: + +# No replacement needed +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user + + + +

In configurations where both authentication and access control were meaningfully combined, the + access control directives should be migrated. This example allows requests meeting both criteria:

+ + 2.2 configuration: + +Order allow,deny +Deny from all +# Satisfy ALL is the default +Satisfy ALL +Allow from 127.0.0.1 +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user + + + + 2.4 configuration: + +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +<RequireAll> + Require valid-user + require ip 127.0.0.1 +</RequireAll> + + + +

In configurations where both authentication and access control were meaningfully combined, the + access control directives should be migrated. This example allows requests meeting either criteria:

+ + 2.2 configuration: + +Order allow,deny +Deny from all +Satisfy any +Allow from 127.0.0.1 +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user + + + + 2.4 configuration: + +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +# Implicitly <RequireAny> +Require valid-user +Require ip 127.0.0.1 + + +
-- 2.47.2