> Lots of things could be better. To me it is clear that the overall > system expects an AuthType to be set if you will be doing authn and > authz. Thx for clarification - this was at least not clear to me. > > The error message is one indication of that But it appears only if the authorization backend does deny the access - if it let you pass, you won't get any error message. So its difficult to "know" that you should configure it. > > IIUC, a normal authentication provider would check the configured > authtype. So it would not be ideal for Lua to programatically > configure it just because the hook has been implemented by a script. Hm - the lua authz provider here: https://httpd.apache.org/docs/trunk/mod/mod_lua.html#luaauthzprovider does not check that, neither any of the other examples there. So if i use that *normal* one from the example there and tweak it to my needs i would not know what other providers in general would do - *normal* makes assumptions about httpd internals on other places which not anyone has. Coming from a user perspective which wants to use the things there its hard to *know* such things - if you're a familiar httpd developer of cause it seems clear to you. ... This can be used to implement arbitrary authentication and authorization checking. ... To sum it up: I should set AuthType if i am using some of those handlers, correct? And do we agree that the docs should mention that? > > > And i am curious - why its dangerous? If it is dangerous - shouldn't the > > docs have some note about this added? > > Reading them i was under the impression - and because httpd does not > > bail about it - that its not needed using the lua handlers. > > To me It's dangerous because to me it looks like > unintended/undesigned/undefined config/behavior in the area of access > control and that error message is the hint. That sounds feasible - but to users of httpd + mod_lua which just read the docs and does not study the code of other providers - how should they know that this is a undefined config / behaviour. The examples and docs imho should mention that, shouldn't it? And wouldn't it be a good idea to let httpd configtest fail if those auth handlers are used but no AuthType is set - just to omit undefined behaviour? kind regards Torsten
Attachment:
smime.p7s
Description: S/MIME cryptographic signature