The approach for allowing authorization by user or IP introduced in r956387,

etc. causes problems because the authentication module calls
note_*_auth_failure if authentication fails. This is inappropriate if access is
later allowed because of the IP.

So, instead of calling the auth_checker hook even if authentication failed, we
introduce a new access_checker_ex hook that runs between the access_checker and
the check_user_id hooks. If an access_checker_ex functions returns OK, the
request will be allowed without authentication.

To make use of this, change mod_authz_core to walk the require blocks in the
access_checker_ex phase and deny/allow the request if the authz result does not
depend on an authenticated user. To distinguish a real AUTHZ_DENIED from an
authz provider from an authz provider needing an authenticated user, the latter
must return the new AUTHZ_DENIED_NO_USER code.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@964156 13f79535-47bb-0310-9956-ffa450edef68

include/mod_auth.h

@@ -73,7 +73,8 @@ typedef enum {
     AUTHZ_DENIED,
     AUTHZ_GRANTED,
     AUTHZ_NEUTRAL,
-    AUTHZ_GENERAL_ERROR
+    AUTHZ_GENERAL_ERROR,
+    AUTHZ_DENIED_NO_USER,      /* denied because r->user == NULL */
 } authz_status;
 
 typedef struct {