force secondary authentication for one Proxy URL QUERY_STRING

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

force secondary authentication for one Proxy URL QUERY_STRING

Jason Keltz-3
Hi.

I am using a Tomcat application that is proxied through an Apache httpd
server using ProxyPass/ProxyReverse. That part is working perfectly.

The application allows all users to use a particular function which I
would like to limit to only specific users. The URL that I would like to
limit looks like this:

https://example.com/#/?key=KJKJHjkdflkjsdflkjJhdsfjhf

If I add to my VirtualHost:

<Proxy "*">
   <insert my Apache auth of choice>
   Require valid-user
</Proxy>

... then, of course, the user has to authenticate immediately even when
visiting just https://example.com

I want to only apply authentication when the QUERY_STRING includes "?key".

I know I can't evaluate the QUERY_STRING in the <Proxy> section.
However, I should be able to add an IF expression for that exact purpose:

<Proxy "*">
   <If "%QUERY_STRING =~ /key/">
     <insert my Apache auth of choice>
     Require valid-user
   </If>
</Proxy>

This does not work either. I don't get any debugging so I don't know why
it doesn't work.

Any help would be appreciated.

Thanks!



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: force secondary authentication for one Proxy URL QUERY_STRING

Rainer Canavan-2
On Thu, Jun 11, 2020 at 3:13 PM Jason Keltz <[hidden email]> wrote:
[...]
> The URL that I would like to limit looks like this:
>
> https://example.com/#/?key=KJKJHjkdflkjsdflkjJhdsfjhf
[...]
> I want to only apply authentication when the QUERY_STRING includes "?key".

In the URL you have given above, "key" is not in the query string,
it's in the fragment, which
should never be sent to the server. I would suspect that that part is
evaluated by Javascript
in the browser, which probably triggers additional requests to some
arbitrary, different URL.
Not sure if authentication failures for such requests would ever cause
the browser to
request username/password interactively. Use the developer tools in
your browser to
check what's really going on.

rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]