You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "J.Lance Wilkinson" <jl...@psulias.psu.edu> on 2011/01/26 16:52:15 UTC
[users@httpd] Authentication based on QUERY STRING
I have a developer who's using Apache 1.3.9 (supplied as Oracle HTTP server
within Oracle Application Express) and needs to SUPPRESS his default
authentication (mod_cosign from weblogin.org) when the user's QUERY_STRING
contains the string ":25:". Otherwise he wants to continue to enforce his
authentication.
Thoughts?
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication based on QUERY STRING
Posted by "J.Lance Wilkinson" <jl...@psulias.psu.edu>.
Mark Montague wrote:
> If you're ignoring the "remarkably bad idea" part of Rich's response,
> above, here are some more ways to get in trouble:
>
> - mod_cosign allows you to make authentication optional via the
> CosignAllowPublicAccess directive. If you are serving dynamic content
> (a CGI, etc.), you (or your developer) can then have your dynamic
> content (a CGI, etc.) force authentication if the user is not
> authenticated and the query string does not contain ":25:", but allow
> both authenticated and unauthenticated access otherwise. For specifics
> on how to implement this, ask on the cosign-discuss mailing list (
> https://lists.sourceforge.net/lists/listinfo/cosign-discuss ).
> Unfortunately, this solution will not work for static content.
>
> - You (or your developer) can modify mod_cosign to get what you need;
> this is horrible and ugly, but probably easier than implementing your
> own authentication mechanism. You'll probably want to add your
> additional check (return DECLINED if the query string contains ":25:")
> in the cosign source code near filters/apache/mod_cosign.c line 428.
> Lines 209-222 of the same file provide an example of code that checks
> the query string that could be rewritten for your needs. See
> http://cosign.git.sourceforge.net/git/gitweb.cgi?p=cosign/cosign;a=blob;f=filters/apache/mod_cosign.c;h=3a279745e70acef52211678e2a6a3acb89392a04;hb=HEAD
ABSOLUTELY not a consideration, so don't worry on that one.
Admittedly, I was hoping that some other folks (as yet unasked)
would tell me I'd missed some delightful feature in MOD_COSIGN
that would allow me to put some kind of env= optionality onto
the CosignProtected directive... But this whole discussion has
proven the fool heartiness of that, too.
>
>> Again, this seems like a really bad idea.
>
> The above bears repeating (if it's not obvious why its a bad idea, let
> us know so we can explain).
>
> WHY does your developer think he needs to bypass authentication based on
> what's in the query string? Knowing the details of the situation may
> allow us to suggest an alternative solution. Remind your developer of
> http://www.catb.org/~esr/faqs/smart-questions.html#goal
Well, I've asked this question already. Seems that the 3 DYNAMIC
pages of content that will not require authentication are being rolled
into the other DYNAMIC pages which do. They (not sure who THEY are,
perhaps the application's customer, perhaps the developer's supervisor,
or somebody else along the hierarchy) want it all in the same DNS
name and Oracle application.
After floating some alternatives back to him, I offered to pass on
the conceptual request to this august group on the off chance it wasn't
as ill-advised as I suspected. Turns out, however, that it's even more
ill-advised than I'd suspected.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication based on QUERY STRING
Posted by Mark Montague <ma...@catseye.org>.
On January 26, 2011 13:48 , Rich Bowen <rb...@rcbowen.com> wrote:
>>> On Jan 26, 2011, at 10:52 AM, J.Lance Wilkinson wrote:
>>>> I have a developer who's using Apache 1.3.9 (supplied as Oracle HTTP server within Oracle Application Express) and needs to SUPPRESS his default authentication (mod_cosign from weblogin.org) when the user's QUERY_STRING contains the string ":25:". Otherwise he wants to continue to enforce his
>>>> authentication.
>
> Meanwhile, suppressing authentication based on a query string argument is not easy simply because it's a remarkably bad idea, as it undermines the very notion of authentication. However, if you must do this, then you'll probably need to implement your own authentication mechanism. HTTP auth happens too early in the process for what you're trying to do.
>
> The only solution that comes to mind is to have a front-end server that looks at the query string (say, mod_rewrite) and rewrites the request to an un-auth copy of the content when the query string has the right magic string in it.
If you're ignoring the "remarkably bad idea" part of Rich's response,
above, here are some more ways to get in trouble:
- mod_cosign allows you to make authentication optional via the
CosignAllowPublicAccess directive. If you are serving dynamic content
(a CGI, etc.), you (or your developer) can then have your dynamic
content (a CGI, etc.) force authentication if the user is not
authenticated and the query string does not contain ":25:", but allow
both authenticated and unauthenticated access otherwise. For specifics
on how to implement this, ask on the cosign-discuss mailing list (
https://lists.sourceforge.net/lists/listinfo/cosign-discuss ).
Unfortunately, this solution will not work for static content.
- You (or your developer) can modify mod_cosign to get what you need;
this is horrible and ugly, but probably easier than implementing your
own authentication mechanism. You'll probably want to add your
additional check (return DECLINED if the query string contains ":25:")
in the cosign source code near filters/apache/mod_cosign.c line 428.
Lines 209-222 of the same file provide an example of code that checks
the query string that could be rewritten for your needs. See
http://cosign.git.sourceforge.net/git/gitweb.cgi?p=cosign/cosign;a=blob;f=filters/apache/mod_cosign.c;h=3a279745e70acef52211678e2a6a3acb89392a04;hb=HEAD
> Again, this seems like a really bad idea.
The above bears repeating (if it's not obvious why its a bad idea, let
us know so we can explain).
WHY does your developer think he needs to bypass authentication based on
what's in the query string? Knowing the details of the situation may
allow us to suggest an alternative solution. Remind your developer of
http://www.catb.org/~esr/faqs/smart-questions.html#goal
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication based on QUERY STRING
Posted by Rich Bowen <rb...@rcbowen.com>.
On Jan 26, 2011, at 1:38 PM, J.Lance Wilkinson wrote:
> Rich Bowen wrote:
>> On Jan 26, 2011, at 10:52 AM, J.Lance Wilkinson wrote:
>>> I have a developer who's using Apache 1.3.9 (supplied as Oracle HTTP server within Oracle Application Express) and needs to SUPPRESS his default authentication (mod_cosign from weblogin.org) when the user's QUERY_STRING contains the string ":25:". Otherwise he wants to continue to enforce his
>>> authentication.
>>>
>>> Thoughts?
>> My first thought is "Holy cow, 1.3.9 was released in August 1999. Why the heck are you using *that* dinosaur."
>> Closely followed by, no, that's probably not possible, and especially not in something that ancient.
>
> I'm certainly inclined to agree with you, but apparently Oracle
> disagrees. There are apparently a multitude of custom Oracle
> modules which clearly, if they had Apache 2.x or Apache 2.2.x versions
> for, would be distributed and available thus making later versions
> of Apache feasible.
If those modules worked on 1.3.9, they would also work on 1.3.42, which, while hardly cutting edge, was at least released this century.
Meanwhile, suppressing authentication based on a query string argument is not easy simply because it's a remarkably bad idea, as it undermines the very notion of authentication. However, if you must do this, then you'll probably need to implement your own authentication mechanism. HTTP auth happens too early in the process for what you're trying to do.
The only solution that comes to mind is to have a front-end server that looks at the query string (say, mod_rewrite) and rewrites the request to an un-auth copy of the content when the query string has the right magic string in it.
Again, this seems like a really bad idea.
--
Rich Bowen
rbowen@rcbowen.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication based on QUERY STRING
Posted by "J.Lance Wilkinson" <jl...@psulias.psu.edu>.
Rich Bowen wrote:
> On Jan 26, 2011, at 10:52 AM, J.Lance Wilkinson wrote:
>
>> I have a developer who's using Apache 1.3.9 (supplied as Oracle HTTP server within Oracle Application Express) and needs to SUPPRESS his default authentication (mod_cosign from weblogin.org) when the user's QUERY_STRING contains the string ":25:". Otherwise he wants to continue to enforce his
>> authentication.
>>
>> Thoughts?
>
> My first thought is "Holy cow, 1.3.9 was released in August 1999. Why the heck are you using *that* dinosaur."
> Closely followed by, no, that's probably not possible, and especially not in something that ancient.
I'm certainly inclined to agree with you, but apparently Oracle
disagrees. There are apparently a multitude of custom Oracle
modules which clearly, if they had Apache 2.x or Apache 2.2.x versions
for, would be distributed and available thus making later versions
of Apache feasible.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication based on QUERY STRING
Posted by Björn Zettergren <bj...@basefarm.se>.
On 01/26/2011 06:52 PM, Rich Bowen wrote:
>
> On Jan 26, 2011, at 10:52 AM, J.Lance Wilkinson wrote:
>
>> I have a developer who's using Apache 1.3.9 (supplied as Oracle HTTP server within Oracle Application Express) and needs to SUPPRESS his default authentication (mod_cosign from weblogin.org) when the user's QUERY_STRING contains the string ":25:". Otherwise he wants to continue to enforce his
>> authentication.
>>
>> Thoughts?
>
> My first thought is "Holy cow, 1.3.9 was released in August 1999. Why the heck are you using *that* dinosaur."
> Closely followed by, no, that's probably not possible, and especially not in something that ancient.
If you're stuck with that apache version due to oracle, you might be
able to pull that off by having an apache 2.2 with mod_rewrite &
mod_proxy in front of your current server, and do your
authentication/bypassing there. However, if your server is publicly
accessible, i'd look far and wide for a different "bypass" mechanism
(rather, no bypass at all).
/Björn
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication based on QUERY STRING
Posted by Rich Bowen <rb...@rcbowen.com>.
On Jan 26, 2011, at 10:52 AM, J.Lance Wilkinson wrote:
> I have a developer who's using Apache 1.3.9 (supplied as Oracle HTTP server within Oracle Application Express) and needs to SUPPRESS his default authentication (mod_cosign from weblogin.org) when the user's QUERY_STRING contains the string ":25:". Otherwise he wants to continue to enforce his
> authentication.
>
> Thoughts?
My first thought is "Holy cow, 1.3.9 was released in August 1999. Why the heck are you using *that* dinosaur."
Closely followed by, no, that's probably not possible, and especially not in something that ancient.
--
Rich Bowen
rbowen@rcbowen.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org