You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Scott Brady <sb...@memolinkcorp.com> on 2009/07/30 21:49:47 UTC
[users@httpd] Don't require authentication on a subfolder
I'm trying to find a way to require authentication (using mod_auth_sspi) on an entire website except for one specific folder, which I want freely accessible. However, I've been having issues getting that to work. I've tried setting SSPIAuth Off on the subfolder, but that didn't work. Is there something I'm missing?
Here's the relevant part of my vhosts file entry for that site:
<Directory / >
AuthName "Enter your login"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative Off
SSPIDomain mydomain.lan
SSPIOfferBasic On
Require valid-user
</Directory>
# This is the folder I want freely accessible
<Directory /mySubFolder/ >
SSPIAuth Off
</Directory>
Thanks!
-----------------------------------
Scott Brady
Lead Application Developer
Memolink, Inc.
[users@httpd] Re: Don't require authentication on a subfolder
Posted by Nicholas Sherlock <n....@gmail.com>.
André Warnier wrote:
> If that is still not entirely clear, here is a summary :
> - the Windows filesystem, in terms of locatiing directories and
> filenames, is case-insensitive. In other words, "/dir" and "/DIR" and
> "/Dir" all lead to same place.
> - the Apache <Location> directive applies to the URL, and IS
> case-sensitive. In that case, "/public" and "/PUBLIC" are 2 different
> URLs.
Ah, thanks for pointing that out! My only Windows Apache server is my
development machine, but that little bit of information could be really
critical at some point.
Cheers,
Nicholas Sherlock
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Don't require authentication on a subfolder
Posted by André Warnier <aw...@ice-sa.com>.
Scott Brady wrote:
>
> That worked (I had to put the "/public/" before the "/"
and remove the trailing slash in "/public/", but it worked).
>
Just to nitpick a bit :
The fact that you are using mod_SSPI leads me to believe you are running
Apache on a Windows host.
In that case, you should read this document carefully :
http://httpd.apache.org/docs/2.2/mod/core.html#location
and particularly reflect on this paragraph :
<Location> sections operate completely outside the filesystem. This has
several consequences. Most importantly, <Location> directives should
not be used to control access to filesystem locations. Since several
different URLs may map to the same filesystem location, such access
controls may by circumvented.
What that means is explained more completely here :
http://httpd.apache.org/docs/2.2/sections.html
in the section "What to use When".
If that is still not entirely clear, here is a summary :
- the Windows filesystem, in terms of locatiing directories and
filenames, is case-insensitive. In other words, "/dir" and "/DIR" and
"/Dir" all lead to same place.
- the Apache <Location> directive applies to the URL, and IS
case-sensitive. In that case, "/public" and "/PUBLIC" are 2 different URLs.
So your section
<Location /public>
applies only to browser requests that come in as
"http://yourhost/public". It does not apply if a request comes as
"http://yourhost/PUBLIC", although for both URLs, Apache will server the
content of the same disk directory.
In your specific case, it does not really matter, because your intention
is to release the security for your "public" directory, compared to the
rest of the site.
But don't do the same for a "secret" part of your site.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Don't require authentication on a subfolder
Posted by Scott Brady <sb...@memolinkcorp.com>.
> -----Original Message-----
> From: Tom Evans [mailto:tevans.uk@googlemail.com]
> Sent: Friday, July 31, 2009 2:54 AM
> Do you understand the difference between <Directory> and <Location>?
Nope, but I do now. :)
(snip)
> I'm pretty sure you just want <Location> containers rather than
> <Directory>, like so:
> <Location />
> # All your SSPI directives here
> </Location>
> <Location /public/>
> Allow from all
> Satisfy any
> </Location>
That worked (I had to put the "/public/" before the "/" and remove the trailing slash in "/public/", but it worked).
Thanks for all the help. I think I'm good ... for now.
Scott
Re: [users@httpd] Don't require authentication on a subfolder
Posted by Tom Evans <te...@googlemail.com>.
On Thu, 2009-07-30 at 13:49 -0600, Scott Brady wrote:
> I'm trying to find a way to require authentication (using
> mod_auth_sspi) on an entire website except for one specific folder,
> which I want freely accessible. However, I've been having issues
> getting that to work. I've tried setting SSPIAuth Off on the
> subfolder, but that didn't work. Is there something I'm missing?
>
>
>
> Here’s the relevant part of my vhosts file entry for that site:
>
> <Directory / >
>
> AuthName "Enter your login"
>
> AuthType SSPI
>
> SSPIAuth On
>
> SSPIAuthoritative Off
>
> SSPIDomain mydomain.lan
>
> SSPIOfferBasic On
>
> Require valid-user
>
> </Directory>
>
> # This is the folder I want freely accessible
>
> <Directory /mySubFolder/ >
>
> SSPIAuth Off
>
> </Directory>
>
>
>
> Thanks!
>
> -----------------------------------
>
> Scott Brady
>
> Lead Application Developer
>
> Memolink, Inc.
>
Do you understand the difference between <Directory> and <Location>?
<Directory> refers to a physical on disk directory, and the rules within
it are applied to any file served from within that directory, or
sub-directory. <Location> refers to the requested URL.
In your example, with your first <Directory> you are restricting any
file loaded from the directory / or any subdirectory, which is, I'm
sure, not your intention. Your second <Directory> is then trying to
remove authentication, but it will only do it for files loaded from the
disk directory /mySubFolder/.
I'm pretty sure you just want <Location> containers rather than
<Directory>, like so:
<Location />
# All your SSPI directives here
</Location>
<Location /public/>
Allow from all
Satisfy any
</Location>
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Don't require authentication on a subfolder
Posted by Scott Brady <sb...@memolinkcorp.com>.
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Thursday, July 30, 2009 3:45 PM
> Any chance you have SSPI on in a Location container that would apply?
I'm not sure I understand the question. (I should probably point out that I'm not an apache expert by any means -- it's only in use on our developers' machines).
Scott
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Don't require authentication on a subfolder
Posted by Eric Covener <co...@gmail.com>.
On Thu, Jul 30, 2009 at 5:29 PM, Scott Brady<sb...@memolinkcorp.com> wrote:
> Doesn't look like it nope. If I interpret the docs on the <Directory> directive, what I have SHOULD override the settings on "/", so it may just be some other setting specific to SSPI I need (I have a question into a forum specific to that module, as well, but that seems fairly lower-traffic, so I wasn't sure when I'd hear a response there.)
Any chance you have SSPI on in a Location container that would apply?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Don't require authentication on a subfolder
Posted by Scott Brady <sb...@memolinkcorp.com>.
-----Original Message-----
From: Peter Schober [mailto:peter.schober@univie.ac.at]
Sent: Thursday, July 30, 2009 2:10 PM
> * Scott Brady <sb...@memolinkcorp.com> [2009-07-30 21:50]:
> > # This is the folder I want freely accessible
> > <Directory /mySubFolder/ >
> > SSPIAuth Off
> > </Directory>
> Does the generic way of
> Allow from all
> Satisfy any
> work?
Doesn't look like it nope. If I interpret the docs on the <Directory> directive, what I have SHOULD override the settings on "/", so it may just be some other setting specific to SSPI I need (I have a question into a forum specific to that module, as well, but that seems fairly lower-traffic, so I wasn't sure when I'd hear a response there.)
It was a good idea, though. Thanks!
Scott
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Don't require authentication on a subfolder
Posted by Peter Schober <pe...@univie.ac.at>.
* Scott Brady <sb...@memolinkcorp.com> [2009-07-30 21:50]:
> # This is the folder I want freely accessible
> <Directory /mySubFolder/ >
> SSPIAuth Off
> </Directory>
Does the generic way of
Allow from all
Satisfy any
work?
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org