Location directive with url parameters

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Location directive with url parameters

Frank McCreedy
First, I apologize if I break any etiquette for messages, this is my first
message.

What I am trying to do, is restrict access to a location based on
parameters embedded in a URL as shown below.  The first location just
requires a valid user, the second requires a user in the admin group.  It
doesn't seem to work like I would think it would.  Is this even possible
to do or do I have to make a completely different URL?

<Location /servlet/MyServlet>
   SSLRequireSSL
   AuthType Basic
   AuthName "Area 1"
   AuthUserFile c:/apache/users/users.txt
   require valid-user
</Location>

<Location /servlet/MyServlet?type=admin>
   SSLRequireSSL
   AuthType Basic
   AuthName "Area 2"
   AuthUserFile c:/apache/users/users.txt
   AuthGroupFile c:/apache/users/groups.txt
   require group admin
</Location>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Location directive with url parameters

Joshua Slive
On 4/26/05, Frank McCreedy <[hidden email]> wrote:

> First, I apologize if I break any etiquette for messages, this is my first
> message.
>
> What I am trying to do, is restrict access to a location based on
> parameters embedded in a URL as shown below.  The first location just
> requires a valid user, the second requires a user in the admin group.  It
> doesn't seem to work like I would think it would.  Is this even possible
> to do or do I have to make a completely different URL?
>
> <Location /servlet/MyServlet>
>    SSLRequireSSL
>    AuthType Basic
>    AuthName "Area 1"
>    AuthUserFile c:/apache/users/users.txt
>    require valid-user
> </Location>
>
> <Location /servlet/MyServlet?type=admin>
>    SSLRequireSSL
>    AuthType Basic
>    AuthName "Area 2"
>    AuthUserFile c:/apache/users/users.txt
>    AuthGroupFile c:/apache/users/groups.txt
>    require group admin
> </Location>

In general, no you can't do that.  <Location> will not look at the query string.

If you really need, you can hook something up with mod_rewrite, as in

RewriteEngine On
RewriteCond %{QUERY_STRING} type=admin
RewriteCond %{LA-U:REMOTE_USER} !some-condition
RewriteRule /servlet/MyServlet - [F]

That will kill the request if the user does not match the regex
"some-condition".  You could use a RewriteMap to look up the user in a
groups-type file.

But now we are getting pretty complicated.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Location directive with url parameters

Joshua Slive
[sending back to the list]

On 4/26/05, Frank McCreedy <[hidden email]> wrote:
> Thanks very much for the response.  Any reason why Apache ignores that
> part of the URL?  I don't mean that as a criticism, just wondering...
>
> It will probably be easier in my case just to make a separate servlet to
> handle the admin stuff.

I'm not sure about the original idea -- query string is always stored
separately from the url-path in apache, so it could have just been an
oversight that they were not both applied.

But note that it would be quite dangerous to limit access based on
query strings.  For example, I bet your servlet would be quite happy
to let you get around the restrictions by accepting requests like
MyServlet?foo=bar&type=admin

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Location directive with url parameters

Frank McCreedy
yep yep.. didn't think of the problems ordering could cause!


> [sending back to the list]
>
> On 4/26/05, Frank McCreedy <[hidden email]> wrote:
>> Thanks very much for the response.  Any reason why Apache ignores that
>> part of the URL?  I don't mean that as a criticism, just wondering...
>>
>> It will probably be easier in my case just to make a separate servlet to
>> handle the admin stuff.
>
> I'm not sure about the original idea -- query string is always stored
> separately from the url-path in apache, so it could have just been an
> oversight that they were not both applied.
>
> But note that it would be quite dangerous to limit access based on
> query strings.  For example, I bet your servlet would be quite happy
> to let you get around the restrictions by accepting requests like
> MyServlet?foo=bar&type=admin
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [hidden email]
>    "   from the digest: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...