How Limit Sections Are Evaluated How Limit Sections Are EvaluatedIf the server is evaluating access to a document that exists in a directory for which no limit section is specified and no parent directory has a limit section specified, access will be granted. Otherwise, host filtering will be checked first. If access is allowed after host filtering (this includes the case where host filtering is not being used), user authentication will be checked.
For host filtering, the limit section directives are order, allow and deny. The order directive specifies the order in which the allow and deny directives are evaluated. The allow directive is used to add hosts which have access to a directory. The deny directive removes hosts which have access to a directory.
For the order
values allow,deny and deny,allow, each limit
section may turn access on, turn it off or do nothing. Access will be turned
on if the client's host matches an
allow entry. It will be turned off if the host
matches a deny entry. If neither the deny or allow entry matches the
client's host, access will not be changed for that limit section. If both
match the client's host, access will be set by the last entry evaluated
(this depends on the order entry).
If order is set to mutual-failure, access will only be allowed
if the client's host matches an allow entry and does not match a deny
entry. Note that the effect of this is to ignore any previously evaluated
(higher) limit sections.
When evaluating the require entry(ies), the current authentication type, authentication user file and (possibly) authentication group file are used. If user authentication fails, the realm specified by the current authentication realm name is sent back to the browser to be displayed to the user when the browser prompts for a user name and password.