| eafcc0ebf263d0ba69855b6e10958c4c1a2361bd 1427548 |
|
01-Jan-2013 |
sf |
Add some caching for password hash validation.
Password hash functions must be expensive in order to be secure. But
if they have to be re-evaluated for every request, performance
suffers.
As a minimal remedy, cache the most recent result for every
connection. This gives a great performance boost if a web browser
does many requests on the same connection with the same
user+password. In principle, this may keep the plain text password
around longer than before. But in practice, there won't be much
difference since user+password can already remain in some unused
data bucket for longer than the request duration.
A proper solution still needs to be found for connections from
proxies which may carry requests for many different users.
While it currently only requires the conn_rec, the new
ap_password_validate() function takes username and request_rec to
allow future extensions, like detection of brute-force attempts. |
| 7c2df38555e33d4c30de9973722128cc9646a1b3 1153687 |
|
04-Aug-2011 |
sf |
Forbid some directives in .htaccess because of AllowOverrideList:
core: AllowOverride, AllowOverrideList
mod_authn_dbd: AuthDBDUserPWQuery, AuthDBDUserRealmQuery
mod_authz_dbd: AuthzDBDQuery, AuthzDBDRedirectQuery
mod_proxy: BalancerMember, ProxySet
Adjust for use in .htaccess:
mod_actions: Script |
| a72211e92bab814bfa28ee086ca9b2a1a6095c92 644525 |
|
03-Apr-2008 |
chrisd |
Avoid calling access control hooks for internal requests with
configurations which match those of the initial request. Revert to
the original behaviour (call access control hooks for internal requests
with URIs different from the initial request) if any access control hooks
or providers are not registered as permitting this optimization.
Introduce wrappers for access control hook and provider registration
which can accept additional mode and flag data.
The configuration walk optimizations were originally proposed a while
ago (see http://marc.info/?l=apache-httpd-dev&m=116536713506234&w=2);
they have been used since then in production systems and appear to be
stable and effective. They permit certain combinations of modules
and clients to function efficiently, especially when a deeply recursive
series of internal requests, such as those generated by certain WebDAV
requests, are all subject to the identical authentication and authorization
directives.
The major change from the original proposal is a cleaner mechanism for
detecting modules which may expect the old behaviour. This has been
tested successfully with Subversion's mod_authz_svn, which specifically
requires the old behaviour when performing path-based authorization based
against its own private access control configuration files. |