How Allow, Deny and Require Statements Are Evaluated How Allow, Deny and Require Statements Are EvaluatedIf the server is evaluating access to a session for which no specific access control directives are specified and no parent session has access control specified, access will be granted. Otherwise, host filtering will be checked first. If access is allowed after host filtering (this includes the case where host filtering is not being used), user authentication will be checked.
For host filtering, the access directives are order, allow and deny. The order directive specifies the order in which the allow and deny directives are evaluated. The allow directive is used to add hosts which have access to a session. The deny directive removes hosts which have access to a session.
For the order
values allow,deny and deny,allow, each set of
directives may turn access on, turn it off or do nothing. Access will be turned
on if the client's host matches an allow entry. It will be turned off if the host
matches a deny entry. If neither the deny or allow entry matches the
client's host, access will not be changed for that session. If both
match the client's host, access will be set by the last entry evaluated
(this depends on the order entry).
If order is set to mutual-failure, access will only be allowed
if the client's host matches an allow entry and does not match a deny
entry. Note that the effect of this is to ignore any previously evaluated
directives from higher sessions.
When evaluating the require entry(ies), the current authentication type, authentication user file and (possibly) authentication group file are used. If user authentication fails, the realm specified by the current authentication realm name is sent back to the browser to be displayed to the user when the browser prompts for a user name and password.