Runtime access control by url

[Carl Franks <fi...@gmail.com>]

Hi,

I'm currently handling access control with "AuthBasicProvider ldap dbd".
I'd like to get rid of the growing list of <Location> directives in
our httpd.conf and lookup each request url against a database, to
check whether it requires a login.
Visitors should be able to browse the website without an account, and
only be asked for one for specific URLs.

I've tried using a PerlInitHandler in <Location />, but am unable to
get it to work.

It seems that the Auth/Authz phases are only run when the <Location />
contains a "Require" directive.
It appears that Apache2::Access->requires() is only a getter, so I
can't switch "Require" on within my PerlInitHandler.
But if I set "Require" in httpd.conf, I can't unset it for URLs that
shouldn't require a login.

Am I going about this the wrong way - and has this been solved before?
Cheers,
Carl

Re: Runtime access control by url

[André Warnier <aw...@ice-sa.com>]

Carl Franks wrote:
> Hi,
> 
> I'm currently handling access control with "AuthBasicProvider ldap dbd".
> I'd like to get rid of the growing list of <Location> directives in
> our httpd.conf and lookup each request url against a database, to
> check whether it requires a login.
> Visitors should be able to browse the website without an account, and
> only be asked for one for specific URLs.
> 
> I've tried using a PerlInitHandler in <Location />, but am unable to
> get it to work.
> 
> It seems that the Auth/Authz phases are only run when the <Location />
> contains a "Require" directive.

That may be true for the Authz (authorization) phase, but not for the Auth 
(authentication) phase.  As far as I know, the Auth phase is run as soon as you have an 
"AuthType" directive (or maybe AuthName); it does not depend on "Require" being there.

> It appears that Apache2::Access->requires() is only a getter, so I
> can't switch "Require" on within my PerlInitHandler.
> But if I set "Require" in httpd.conf, I can't unset it for URLs that
> shouldn't require a login.
> 
> Am I going about this the wrong way - and has this been solved before?

I do not think that it has been solved before in your specific case (with mod_auth_ldap), 
and yes, I think that you might be going about this the wrong way.

It is probably possible, but it may be difficult/complex/inefficient to implement the kind 
of scheme which you are indicating above. (*)

Let me therefore propose what may be a simpler way : to avoid the multiplication of 
<Location> sections, can you not organise your URLs in such a way that one (or a few) 
<LocationMatch> would do the job ?
I mean, to arrange your URLs which must be submitted to authentication/authorization in 
such a way that they match a regexp pattern, and the URLs that are unprotected don't ?
Or vice-versa.

That's bound to be more efficient than having to acess a database at each request to find 
out if you must AAA or not.



(*) The way I can imagine doing this would be to do your URL check, and then change the 
AuthType on-the-fly if this URL does not require AAA (from "Basic" to "something_else"). 
And provide PerlAuthHandler/PerlAuthzHandler for that "something else" case, which always 
allow access to the resource.