On Thu, Mar 15, 2018 at 10:50 AM, Torsten Krah <krah.tm@xxxxxxxxx> wrote: > Am Donnerstag, den 15.03.2018, 10:44 -0400 schrieb Eric Covener: >> I think you should be setting it to a customized string or an existing >> one if you want a fallthrough behavior. Anything else seems >> undefined/dangerous. > > lua docs does not tell that i should set AuthType anywhere searching for > it on: > > https://httpd.apache.org/docs/trunk/mod/mod_lua.html > > So is this a *must* have to set additionally? Shouldn't it be better > than if either httpd errors out if it finds one of those lua auth > handler directives without an AuthType? Or maybe just set one implicitly > to e.g. AuthType LUA when configuration is parsed? Lots of things could be better. To me it is clear that the overall system expects an AuthType to be set if you will be doing authn and authz. The error message is one indication of that IIUC, a normal authentication provider would check the configured authtype. So it would not be ideal for Lua to programatically configure it just because the hook has been implemented by a script. > And i am curious - why its dangerous? If it is dangerous - shouldn't the > docs have some note about this added? > Reading them i was under the impression - and because httpd does not > bail about it - that its not needed using the lua handlers. To me It's dangerous because to me it looks like unintended/undesigned/undefined config/behavior in the area of access control and that error message is the hint. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx