You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Carl Franks <fi...@gmail.com> on 2012/02/28 17:54:12 UTC
Runtime access control by url
Hi,
I'm currently handling access control with "AuthBasicProvider ldap dbd".
I'd like to get rid of the growing list of <Location> directives in
our httpd.conf and lookup each request url against a database, to
check whether it requires a login.
Visitors should be able to browse the website without an account, and
only be asked for one for specific URLs.
I've tried using a PerlInitHandler in <Location />, but am unable to
get it to work.
It seems that the Auth/Authz phases are only run when the <Location />
contains a "Require" directive.
It appears that Apache2::Access->requires() is only a getter, so I
can't switch "Require" on within my PerlInitHandler.
But if I set "Require" in httpd.conf, I can't unset it for URLs that
shouldn't require a login.
Am I going about this the wrong way - and has this been solved before?
Cheers,
Carl
Re: Runtime access control by url
Posted by André Warnier <aw...@ice-sa.com>.
Carl Franks wrote:
> Hi,
>
> I'm currently handling access control with "AuthBasicProvider ldap dbd".
> I'd like to get rid of the growing list of <Location> directives in
> our httpd.conf and lookup each request url against a database, to
> check whether it requires a login.
> Visitors should be able to browse the website without an account, and
> only be asked for one for specific URLs.
>
> I've tried using a PerlInitHandler in <Location />, but am unable to
> get it to work.
>
> It seems that the Auth/Authz phases are only run when the <Location />
> contains a "Require" directive.
That may be true for the Authz (authorization) phase, but not for the Auth
(authentication) phase. As far as I know, the Auth phase is run as soon as you have an
"AuthType" directive (or maybe AuthName); it does not depend on "Require" being there.
> It appears that Apache2::Access->requires() is only a getter, so I
> can't switch "Require" on within my PerlInitHandler.
> But if I set "Require" in httpd.conf, I can't unset it for URLs that
> shouldn't require a login.
>
> Am I going about this the wrong way - and has this been solved before?
I do not think that it has been solved before in your specific case (with mod_auth_ldap),
and yes, I think that you might be going about this the wrong way.
It is probably possible, but it may be difficult/complex/inefficient to implement the kind
of scheme which you are indicating above. (*)
Let me therefore propose what may be a simpler way : to avoid the multiplication of
<Location> sections, can you not organise your URLs in such a way that one (or a few)
<LocationMatch> would do the job ?
I mean, to arrange your URLs which must be submitted to authentication/authorization in
such a way that they match a regexp pattern, and the URLs that are unprotected don't ?
Or vice-versa.
That's bound to be more efficient than having to acess a database at each request to find
out if you must AAA or not.
(*) The way I can imagine doing this would be to do your URL check, and then change the
AuthType on-the-fly if this URL does not require AAA (from "Basic" to "something_else").
And provide PerlAuthHandler/PerlAuthzHandler for that "something else" case, which always
allow access to the resource.