You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Claudiu Sebe <cs...@fx.ro> on 2005/03/15 14:09:23 UTC
[users@httpd] user authentication and redirect to directory
Hello all,
Here is the story:
In a certain directory, users authenticate through mod_auth user/pass
mecanism like:
####
<Directory /var/www/localhost/protected>
Options +FollowSymLinks +Indexes
AuthName "Client Login"
AuthType Basic
AuthUserFile /var/www/passes/.htpass
Require valid-user
####
The /protected directory looks like:
/protected
/user1
/user2
...
After authentication I need to redirect the user to their directory based on
the login name, so in the same <Directory...> directive, I put:
####
RewriteEngine on
RewriteRule ^$ /protected/%{REMOTE_USER}/$1 [L,R]
####
Till here works ok. But I'd like to avoid that users knowing the full path
to other users' directory, being able to enter there.
Therefore I tried to deny access in unauthorized places, adding the
following in the end:
####
RewriteRule !^%{REMOTE_USER} - [L,F]
####
or alternatively:
####
RewriteRule ^$ /protected/%{REMOTE_USER}/$1 [L,R]
RewriteCond $1 =%1
RewriteRule ^(.*)/ - [L,F]
####
Neither does the trick because
- RewriteCond doesn't interpolate variables in the CondPattern part (only in
the TestString)
- RewriteRule doesn't interpolate variables in the Pattern (only in the
Substitution)
IMHO what I need can't be done only with mod rewrite. Can anyone show me
wrong 8-) ?
TIA,
Claudiu
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] user authentication and redirect to directory
Posted by Joshua Slive <js...@gmail.com>.
On Tue, 15 Mar 2005 21:33:22 +0200, Claudiu Sebe <cs...@fx.ro> wrote:
> > I think there is something you aren't telling us, since your above
> > RewriteRule should create an infinite loop (it will hit again on the
> > request to /protected/%{REMOTE_USER}). And in addition, the $1
> > doesn't match anything.
>
> Nope, it's nothing missing and no infinite loop is created. We are in a
> per-directory context and "^$" matches only the first time; the next time
> there is no empty string.
Yes, you are correct. I misread the regex.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] user authentication and redirect to directory
Posted by Claudiu Sebe <cs...@fx.ro>.
----- Original Message -----
From: "Joshua Slive" <js...@gmail.com>
To: <us...@httpd.apache.org>
Sent: Tuesday, March 15, 2005 4:30 PM
Subject: Re: [users@httpd] user authentication and redirect to directory
> On Tue, 15 Mar 2005 15:09:23 +0200, Claudiu Sebe <cs...@fx.ro> wrote:
> > Hello all,
> >
> > Here is the story:
> >
> > In a certain directory, users authenticate through mod_auth user/pass
> > mecanism like:
> > ####
> > <Directory /var/www/localhost/protected>
> > Options +FollowSymLinks +Indexes
> > AuthName "Client Login"
> > AuthType Basic
> > AuthUserFile /var/www/passes/.htpass
> > Require valid-user
> > ####
> >
> > The /protected directory looks like:
> > /protected
> > /user1
> > /user2
> > ...
> >
> > After authentication I need to redirect the user to their directory
based on
> > the login name, so in the same <Directory...> directive, I put:
> > ####
> > RewriteEngine on
> > RewriteRule ^$ /protected/%{REMOTE_USER}/$1 [L,R]
> > ####
> >
> > Till here works ok. But I'd like to avoid that users knowing the full
path
> > to other users' directory, being able to enter there.
>
> > IMHO what I need can't be done only with mod rewrite. Can anyone show me
> > wrong 8-) ?
>
> I think there is something you aren't telling us, since your above
> RewriteRule should create an infinite loop (it will hit again on the
> request to /protected/%{REMOTE_USER}). And in addition, the $1
> doesn't match anything.
Nope, it's nothing missing and no infinite loop is created. We are in a
per-directory context and "^$" matches only the first time; the next time
there is no empty string.
As for the $1, it is a leftover from a previous attempt. However, if there
is no paranthesised (...) match in the pattern, $1 is empty, so really
doesn't matter.
[snip]
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] user authentication and redirect to directory
Posted by Joshua Slive <js...@gmail.com>.
On Tue, 15 Mar 2005 15:09:23 +0200, Claudiu Sebe <cs...@fx.ro> wrote:
> Hello all,
>
> Here is the story:
>
> In a certain directory, users authenticate through mod_auth user/pass
> mecanism like:
> ####
> <Directory /var/www/localhost/protected>
> Options +FollowSymLinks +Indexes
> AuthName "Client Login"
> AuthType Basic
> AuthUserFile /var/www/passes/.htpass
> Require valid-user
> ####
>
> The /protected directory looks like:
> /protected
> /user1
> /user2
> ...
>
> After authentication I need to redirect the user to their directory based on
> the login name, so in the same <Directory...> directive, I put:
> ####
> RewriteEngine on
> RewriteRule ^$ /protected/%{REMOTE_USER}/$1 [L,R]
> ####
>
> Till here works ok. But I'd like to avoid that users knowing the full path
> to other users' directory, being able to enter there.
> IMHO what I need can't be done only with mod rewrite. Can anyone show me
> wrong 8-) ?
I think there is something you aren't telling us, since your above
RewriteRule should create an infinite loop (it will hit again on the
request to /protected/%{REMOTE_USER}). And in addition, the $1
doesn't match anything.
The way I would handle this (and there are probably others), is to
remove the "R" from your RewriteRule. That way the users won't have
any choice (or knowledge) about the specific subdirectory that they
are entering. It would look something like
RewriteRule (.*) /full/path/to/protected/%{REMOTE_USER}/$1 [L]
One way to avoid the infinite loop problem would be to put
/full/path/to/protected someplace outside the DocumentRoot.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org