我正在尝试配置 apache,以便每次访问都需要通过 mod_auth_mellon 进行 SSO 身份验证。我已经让它完美运行了:
<Location />
AuthType "Mellon"
Require valid-user
...
</Location>
现在我想根据经过身份验证的用户组进一步限制某些更深的目录,其中此组信息来自文件系统中的本地文件(例如 /etc/group 或我选择的其他内容):
<Location /some_dir>
Require group foo
</Location>
我似乎无法在第二个执行组检查的块中找到 AuthType、AuthGroupFile、AuthMerging 等的任何组合。相反,访问总是成功,并且我的调试日志包含以下内容:
[Wed Jun 02 19:50:21.814390 2021] [authz_core:debug] mod_authz_core.c(809): [client 10.74.101.90:54850] AH01626: authorization result of Require valid-user : granted
[Wed Jun 02 19:50:21.814438 2021] [authz_core:debug] mod_authz_core.c(809): [client 10.74.101.90:54850] AH01626: authorization result of <RequireAny>: granted
[Wed Jun 02 19:50:21.814444 2021] [core:trace3] request.c(312): [client 10.74.101.90:54850] request authorized without authentication by access_checker_ex hook: /some_dir/
[Wed Jun 02 19:50:21.814513 2021] [authz_core:debug] mod_authz_core.c(809): [client 10.74.101.90:54850] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jun 02 19:50:21.814520 2021] [authz_core:debug] mod_authz_core.c(809): [client 10.74.101.90:54850] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jun 02 19:50:21.814527 2021] [authz_core:debug] mod_authz_core.c(809): [client 10.74.101.90:54850] AH01626: authorization result of Require valid-user : granted
[Wed Jun 02 19:50:21.814530 2021] [authz_core:debug] mod_authz_core.c(809): [client 10.74.101.90:54850] AH01626: authorization result of <RequireAny>: granted
[Wed Jun 02 19:50:21.814630 2021] [authz_core:debug] mod_authz_core.c(809): [client 10.74.101.90:54850] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jun 02 19:50:21.814639 2021] [authz_core:debug] mod_authz_core.c(809): [client 10.74.101.90:54850] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jun 02 19:50:21.814645 2021] [authz_core:debug] mod_authz_core.c(809): [client 10.74.101.90:54850] AH01626: authorization result of Require valid-user : granted
[Wed Jun 02 19:50:21.814649 2021] [authz_core:debug] mod_authz_core.c(809): [client 10.74.101.90:54850] AH01626: authorization result of <RequireAny>: granted
我不明白这里发生了什么。具体来说,这是什么?
通过 access_checker_ex 钩子无需身份验证即可授权的请求:/some_dir/
另外,我的配置中没有任何 <RequireAny> 指令,所以我不确定为什么它会出现在日志中。
是否可以配置 apache 来执行我想要的操作?
答案1
好的,我成功了。诀窍是放入AuthMerging And块中<Location />而不是<Location /some_dir>块中。从文档中我看不清楚这一点,文档中说:
当配置节包含
AuthMerging And或 时AuthMerging Or,其授权逻辑将与最近的前一个(根据配置节的总体顺序)的授权逻辑相结合,后者也包含授权逻辑,就好像这两个节分别共同包含在 或<RequireAll>指令中<RequireAny>一样。
<Location />在我的配置中,和的顺序<Location /some_dir>似乎并不重要,但AuthMerging And 做事情。