[users@httpd] Is it possible to use SSLRequire to give differentially access to a directory and asubdirectory?

[Seth Chaiklin <se...@dpu.dk>]

Apache 2.2.4 with mod_ssl

Can someone please confirm that the following is impossible
using only certificates and SSLRequire.

/Directory:                      only user 1 has access
/Subdirectory to Directory:      only user 2 has access

The problem is that, one can either:

b. give access to /Directory to user 1 with a SSLRequire 
expression that only user 1 can satisfy, but then user 2 cannot 
get access to /subdirectory, because the SSLRequire expression 
for /Directory gets passed down.

or

b. give access to /Directory for both users 1 and 2 with a 
SSLRequire expression, while a more restrictive expression can 
prevents access to /subdirectory for user 1.

Neither of these alternatives is desirable. The idea is for each 
user to have access to only the directory or the subdirectory, 
but not both.

The manual mentions that SSLRequire "is a very powerful directive 
because the requirement specification is an arbitrarily complex 
boolean expression containing any number of access checks," but I 
don't think it can handle this kind of differential, individual 
per-directory access -- but maybe my understanding of boolean 
logic is too limited.

Thanks for any insight.

Sincerely,
  Seth Chaiklin




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Is it possible to use SSLRequire to give differentially access to a directory and asubdirectory?

[Seth Chaiklin <se...@dpu.dk>]

On Wed, 21 Mar 2007, Serge Dubrouski wrote:

> On 3/20/07, Seth Chaiklin <se...@dpu.dk> wrote:

> > On Tue, 20 Mar 2007, Serge Dubrouski wrote:
> >
> > > I'm affraid you are mixing up 2 different things: control of user
> > > access to the site and control type of access to your site.
> > > SSLRequireSSL can't control what users can get access to the
> > > particular directory but it can control that access to that directory
> > > will be provided through SSL enabled connection only.
> >
> > That is clear for SSLRequireSSL, but I am referring SSLRequire

> Sorry my mistake :-) 

No problem.

> Per mod_ssl documentation SSLRequire has
> directory context, that means that you should be able to control user
> access per directory level and provide access to /Dir to user1 only
> and to /Subdir to user2 only. You have just to build the corrrect
> rules, based on clients certificates, for example.

Right.  This was my original query.  It is easy enough
to specify different criteria for different directories 
(including subdirectories).

The problem arises however because the properties for the
directory are passed down to the subdirectory!  In this case,
the SSLRequire for the directory is given to the subdirectory,
which makes it impossible to give different requirements to 
the directory and subdirectory.

For example:

<Directory /directory>
SSLRequire       %{SSL_CLIENT_S_DN_C} eq "DE"
</Directory>

<Directory /directory/subdir>
SSLRequire       %{SSL_CLIENT_S_DN_C} eq "DK"
</Directory>

If a person with DK certificate tries to access /directory/subdir 
then access will be rejected (according to the error message in 
the logfile) because it does not have DE certificate.

I was hoping that someone here could (a) confirm that this is the 
way it is supposed to work, and (b) confirm that there is no way 
to override this directory cascade.

>From reading the documentation, it does not appear possible, in 
which case I will make an "enhancement" request.

Thanks,
  Seth Chaiklin


> > > On 3/20/07, Seth Chaiklin <se...@dpu.dk> wrote:
> > > > Apache 2.2.4 with mod_ssl
> > > >
> > > > Can someone please confirm that the following is impossible
> > > > using only certificates and SSLRequire.
> > > >
> > > > /Directory:                      only user 1 has access
> > > > /Subdirectory to Directory:      only user 2 has access
> > > >
> > > > The problem is that, one can either:
> > > >
> > > > b. give access to /Directory to user 1 with a SSLRequire
> > > > expression that only user 1 can satisfy, but then user 2 cannot
> > > > get access to /subdirectory, because the SSLRequire expression
> > > > for /Directory gets passed down.
> > > >
> > > > or
> > > >
> > > > b. give access to /Directory for both users 1 and 2 with a
> > > > SSLRequire expression, while a more restrictive expression can
> > > > prevents access to /subdirectory for user 1.
> > > >
> > > > Neither of these alternatives is desirable. The idea is for each
> > > > user to have access to only the directory or the subdirectory,
> > > > but not both.
> > > >
> > > > The manual mentions that SSLRequire "is a very powerful directive
> > > > because the requirement specification is an arbitrarily complex
> > > > boolean expression containing any number of access checks," but I
> > > > don't think it can handle this kind of differential, individual
> > > > per-directory access -- but maybe my understanding of boolean
> > > > logic is too limited.
> > > >
> > > > Thanks for any insight.
> > > >
> > > > Sincerely,
> > > >   Seth Chaiklin

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Is it possible to use SSLRequire to give differentially access to a directory and asubdirectory?

[Serge Dubrouski <se...@gmail.com>]

I'm affraid you are mixing up 2 different things: control of user
access to the site and control type of access to your site.
SSLRequireSSL can't control what users can get access to the
particular directory but it can control that access to that directory
will be provided through SSL enabled connection only.

But you can simple control user acces using mod_auth_basic (or more
complex modules like LDAP or so)  and standard Require directives.

On 3/20/07, Seth Chaiklin <se...@dpu.dk> wrote:
> Apache 2.2.4 with mod_ssl
>
> Can someone please confirm that the following is impossible
> using only certificates and SSLRequire.
>
> /Directory:                      only user 1 has access
> /Subdirectory to Directory:      only user 2 has access
>
> The problem is that, one can either:
>
> b. give access to /Directory to user 1 with a SSLRequire
> expression that only user 1 can satisfy, but then user 2 cannot
> get access to /subdirectory, because the SSLRequire expression
> for /Directory gets passed down.
>
> or
>
> b. give access to /Directory for both users 1 and 2 with a
> SSLRequire expression, while a more restrictive expression can
> prevents access to /subdirectory for user 1.
>
> Neither of these alternatives is desirable. The idea is for each
> user to have access to only the directory or the subdirectory,
> but not both.
>
> The manual mentions that SSLRequire "is a very powerful directive
> because the requirement specification is an arbitrarily complex
> boolean expression containing any number of access checks," but I
> don't think it can handle this kind of differential, individual
> per-directory access -- but maybe my understanding of boolean
> logic is too limited.
>
> Thanks for any insight.
>
> Sincerely,
>   Seth Chaiklin
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org