我们正在使用 Apache-2.4 提供的新的身份验证和授权框架,需要关闭整个站点(Location /)以防止未经授权的访问,除了一个子目录(Location /foo)可以获取授权 cookie。看起来,AuthMerging 是要使用的指令,但事情不起作用:
<Location />
AuthType form
AuthFormProvider foo
Session On
SessionCookieName ti2f
Include conf/sessionpw.conf
AuthName TI
<RequireAll>
Require foo ipaddress
Require foo expiration
</RequireAll>
ErrorDocument 401 /foo/
</Location>
<Location /foo>
AuthMerging Or
Require all granted
DirectoryIndex index.php
</Location>
不幸的是,对 /foo 的访问仍然被阻止—— 401 Unauthorized。随着 LogLevel 的启动,我可以看到 mod_authz_core 记录的以下消息:
authorization result of Require all granted: granted
authorization result of <RequireAny>: granted
authorization result of AuthMerging Any: granted
authorization result of Require all granted: granted
authorization result of <RequireAny>: granted
authorization result of AuthMerging Any: granted
authorization result of Require foo ipaddress: denied (no authenticated user yet)
authorization result of Require foo expiration: denied (no authenticated user yet)
authorization result of <RequireAll>: denied (no authenticated user yet)
authorization result of <RequireAny>: denied (no authenticated user yet)
将子位置 /foo 的 AuthMerging 设置为“或”时,为什么 Apache 在“要求所有已授予”授权之后检查父位置的要求指令?