I would like to be able to do this:
<LocationMatch ^/secret/(.+?)>
<Limit GET>
Require group member
</Limit>
<LimitExcept GET>
Require group member
Require group contributor
</LimitExcept>
</LocationMatch>
"Require group" lets you suggest lots of groups that are considered with an OR; I require some kind of AND. Satisfy all seems to only influence Require when used with Allow.
Is there a way of controlling group membership with Require/AND?
(I should point out that we are using Atlassian Crowd's Perl module as our group provider, so if it's possible to implement this in the handler, that would work too.)
This is a limitation of basic auth. It is basic :) Though this does not directly answer your question, I will offer that if you have an LDAP directory to manage people, you can do something like "Require Filter (|(memberof=group1DN)(memberof=group2DN))" from mod_authz_ldap which would pass if the user was a member of either of those groups. You have more control over it, but obviously that would require a lot more setup than the basic filter. A WHOLE lot more if you don't have users in LDAP.