Combining SSL and basic user (group) authentication

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Combining SSL and basic user (group) authentication

Richard70nl
Dear all,

I’m trying to figure out how I can give access to documents by combining SSL and basic user authentication. The following is from my httpd config:

<Directory "${WEBAPPS_ROOT}/test/user">
    AllowOverride None
    Options None

    AuthType Basic
    AuthName "Test User"
    AuthBasicProvider dbd
    AuthDBDUserPWQuery "select human.get_user_password(%s);"
    AuthzDBDQuery "select human.get_user_groups(%s);"
   
    Require ssl
    Require dbd-group user
</Directory>

The “Require ssl” denies access to the document for normal http:// connections which is what I want. But it allows accessing the documents without doing any authentication if I do use a https:// connection. My goal is to have an SSL connection but still it’s required to authenticate.

If I remove the “Require ssl” then the authentication works as expected but then a normal http:// connection is possible also. I want to avoid, for the obvious reason, that with basic authentication the password is send unencrypted (just the standard base64 encoding according to the HTTP specification).

BTW, I though that “Satisfy all” would solve this issue but it does not.

Or is the rewrite trick where http:// connections are redirected to https:// connections sufficient? I somehow have the idea it’s not but I can’t put my finger on that. Any insights on this would also be appreciated.

Any hints would be appreciated.

Cheers,
Richard
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Combining SSL and basic user (group) authentication

John Iliffe
Why not redirect the incoming HTTP connections to HTTPS?  

<VirtualHost *:80>
   ServerName www.mysite.ca
   Redirect permanent / https://www.mysite.com
</VirtualHost>

Good luck!

John
==========================================
On Sun, 2019-03-31 at 16:05 +0200, Richard70nl wrote:

> Dear all,
>
> I’m trying to figure out how I can give access to documents by combining SSL
> and basic user authentication. The following is from my httpd config:
>
> <Directory "${WEBAPPS_ROOT}/test/user">
>     AllowOverride None
>     Options None
>
>     AuthType Basic
>     AuthName "Test User"
>     AuthBasicProvider dbd
>     AuthDBDUserPWQuery "select human.get_user_password(%s);"
>     AuthzDBDQuery "select human.get_user_groups(%s);"
>    
>     Require ssl
>     Require dbd-group user
> </Directory>
>
> The “Require ssl” denies access to the document for normal http:// connections
> which is what I want. But it allows accessing the documents without doing any
> authentication if I do use a https:// connection. My goal is to have an SSL
> connection but still it’s required to authenticate.
>
> If I remove the “Require ssl” then the authentication works as expected but
> then a normal http:// connection is possible also. I want to avoid, for the
> obvious reason, that with basic authentication the password is send
> unencrypted (just the standard base64 encoding according to the HTTP
> specification).
>
> BTW, I though that “Satisfy all” would solve this issue but it does not.
>
> Or is the rewrite trick where http:// connections are redirected to https://
> connections sufficient? I somehow have the idea it’s not but I can’t put my
> finger on that. Any insights on this would also be appreciated.
>
> Any hints would be appreciated.
>
> Cheers,
> Richard
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Combining SSL and basic user (group) authentication

Eric Covener
In reply to this post by Richard70nl
On Sun, Mar 31, 2019 at 10:05 AM Richard70nl <[hidden email]> wrote:

>
> Dear all,
>
> I’m trying to figure out how I can give access to documents by combining SSL and basic user authentication. The following is from my httpd config:
>
> <Directory "${WEBAPPS_ROOT}/test/user">
>     AllowOverride None
>     Options None
>
>     AuthType Basic
>     AuthName "Test User"
>     AuthBasicProvider dbd
>     AuthDBDUserPWQuery "select human.get_user_password(%s);"
>     AuthzDBDQuery "select human.get_user_groups(%s);"
>
>     Require ssl
>     Require dbd-group user
> </Directory>
>

In 2.4 it would be surrounding the two requires with <requireall>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Combining SSL and basic user (group) authentication

Richard70nl
Hi Eric and All,

On 31 Mar 2019, at 18:53, Eric Covener <[hidden email]> wrote:

In 2.4 it would be surrounding the two requires with <requireall>

Yes… that’s it. Thanks so much.

The config that works is now:

<Directory "${WEBAPPS_ROOT}/test/user">
    AllowOverride None
    Options None

    AuthType Basic
    AuthName "Test User"
    AuthBasicProvider dbd
    AuthDBDUserPWQuery "select human.get_user_password(%s);"
    AuthzDBDQuery "select human.get_user_groups(%s);"

    <RequireAll>
      Require ssl
      Require dbd-group user
    </RequireAll>
</Directory>

Cheers,
Richard
Reply | Threaded
Open this post in threaded view
|

Re: Combining SSL and basic user (group) authentication

Richard70nl
In reply to this post by John Iliffe
Hi John and All

On 31 Mar 2019, at 18:41, John <[hidden email]> wrote:

Why not redirect the incoming HTTP connections to HTTPS?  

Yeah, I was considering that as well. Don’t ask me why, but I always have the idea that the redirect can be avoided and access is still “open".

The solution in this case would be to put all the “Require…” stuff in a <RequireAll> section within the directory section.

Still, thanks for the quick response.

Cheers,
Richard