You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by André Warnier <aw...@ice-sa.com> on 2008/06/04 13:35:55 UTC
Re: [users@httpd] Access control to files for logged in users only
using apache
Artem Kuchin wrote:
> Hello!
>
> Where is the situation. I have a bunch of files (thousands) in a directory
> structure which is accessible via direct url.
>
> For example:
>
> directory:
>
> htdata/index.html
> htdata/files
> htdata/files/1/file1.dat
> htdata/files/1/file2.dat
> htdata/files/2/file3.dat
> htdata/files/3/file4.dat
>
> The poing is to make ONLY CERTAIN files avaible to users which
> are logged in and qualified for access for the files.
>
> For example: user john does logged in using apache auth scheme
> and he is qualified (SOMEHOW. HOW to tell it to apache?)
> for access to file2 and files4. After that this user can download them.
> Access to all other files gives "forbidden".
>
> Any idea?
>
Hi.
In function of what criteria is a user qualified or not to access which
file ? or in function of what criteria is a file said to be accessible
by which users ?
I mean, assuming that you are using Apache's Basic authentication, based
on Apache's htpasswd and group files, then Apache knows the user-id and
(possibly) the user's group(s) membership(s).
Then, on the other hand, you have your files. How do you decide which
file is accessible by whom ? Is it individual per user, per user group
? can you group the files which have similar access permissions in
separate directories ?
Example : let's say that there are 4 categories of files; files in
category#1 can be accessed by some users, files in category#2 by some
other users, etc..
Then you could split your files in sub-directories, and specify for each
subdirectory something like :
<Directory /var/www/mysite/htdata/files/1>
...
Require group group1 group99
</Directory>
<Directory /var/www/mysite/htdata/files/2>
...
Require group group2 group99
</Directory>
<Directory /var/www/mysite/htdata/files/only_supers>
# these files only accessible by "super-users"
...
Require group group99
</Directory>
<Directory /var/www/mysite/htdata/files/everyone>
# any authenticated user can access these files
...
Require valid-user
</Directory>
then you can arrange to have each of your users given one or more groups
: the users allowed to access files in "../files/1" would need to belong
to group1; the users allowed to access files in "../files/2" would need
to belong to group2; etc..
Users who can access both files/1 and files/2 need to be member of both
group1 and group2.
Users member of group99 (super-users) can access files in all directories.
Some files may have to be duplicated into more than one subdirectory.
Depending on your situation (number of users, number of files, number of
different categories of files, etc..) this may be practical or not.
There are really a lot of possibilities already with Apache itself, and
even more with add-on modules, but maybe provide some more details, so
that more suggestions can be offered.
André
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteEngine directive
Posted by Krist van Besien <kr...@gmail.com>.
On Thu, Jun 5, 2008 at 3:40 PM, Malka Cymbalista
<Ma...@weizmann.ac.il> wrote:
> Thanks for your reply. I actually read the documentation which is where I learned that I can put Rewrite directives in the directory section. My question is if there is any way to get around putting
> RewriteEngine on
> in each directory section. I have RewriteEngine on in the config file outside the directory section but this did not seem to be enough and I had to put it into the specific directory section.
You probably put RewriteEngine on outside your virtual host, which is
indeed not inherited by this virtual host. You need to put it inside
the virtualhost. If you want to swithc it on in a directory section
you don't need to put it in each directory section. Directory sections
are merged, so you could conceivably put it in the root Directory
section. (I don't think it is usually a good idea to put rewritrules
in a directory context...)
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteEngine directive
Posted by Malka Cymbalista <Ma...@weizmann.ac.il>.
Thanks for your reply. I actually read the documentation which is where I learned that I can put Rewrite directives in the directory section. My question is if there is any way to get around putting
RewriteEngine on
in each directory section. I have RewriteEngine on in the config file outside the directory section but this did not seem to be enough and I had to put it into the specific directory section.
--
Malka Cymbalista
Webmaster, Weizmann Institute of Science
malki.cymbalista@weizmann.ac.il
08-934-3036
>>> On 6/5/2008 at 4:21 PM, in message
<6e...@mail.gmail.com>, "Krist van
Besien" <kr...@gmail.com> wrote:
> On Thu, Jun 5, 2008 at 11:09 AM, Malka Cymbalista
> <Ma...@weizmann.ac.il> wrote:
>> If I want to put Rewrite directives into specific <Directory> sections, do I
> have to put the RewriteEngine directive into each of the sections or can I
> put it somewhere else in the configuration file where I will not have to
> repeat it in each directory section.
>> Thanks for any help.
>
> In the documentation
> (http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriteengine)
> it says, for RewriteEngine:
>
> "Context: server config, virtual host, directory, .htaccess"
>
> So you can put it in your server config or virtual host.
>
> General hint: If you are not sure where you can use a directive,
> consult the apache documentation.
>
> Krist
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RewriteEngine directive
Posted by Krist van Besien <kr...@gmail.com>.
On Thu, Jun 5, 2008 at 11:09 AM, Malka Cymbalista
<Ma...@weizmann.ac.il> wrote:
> If I want to put Rewrite directives into specific <Directory> sections, do I have to put the RewriteEngine directive into each of the sections or can I put it somewhere else in the configuration file where I will not have to repeat it in each directory section.
> Thanks for any help.
In the documentation
(http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriteengine)
it says, for RewriteEngine:
"Context: server config, virtual host, directory, .htaccess"
So you can put it in your server config or virtual host.
General hint: If you are not sure where you can use a directive,
consult the apache documentation.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] RewriteEngine directive
Posted by Malka Cymbalista <Ma...@weizmann.ac.il>.
If I want to put Rewrite directives into specific <Directory> sections, do I have to put the RewriteEngine directive into each of the sections or can I put it somewhere else in the configuration file where I will not have to repeat it in each directory section.
Thanks for any help.
--
Malka Cymbalista
Webmaster, Weizmann Institute of Science
malki.cymbalista@weizmann.ac.il
08-934-3036
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access control to files for logged in users only
using apache
Posted by André Warnier <aw...@ice-sa.com>.
Artem Kuchin wrote:
>
>
> André Warnier пишет:
>> Artem Kuchin wrote:
>>> Hello!
>>>
>>> Where is the situation. I have a bunch of files (thousands) in a
>>> directory
>>> structure which is accessible via direct url.
>>>
>>> For example:
>>>
>>> directory:
>>>
>>> htdata/index.html
>>> htdata/files
>>> htdata/files/1/file1.dat
>>> htdata/files/1/file2.dat
>>> htdata/files/2/file3.dat
>>> htdata/files/3/file4.dat
>>>
>>> The poing is to make ONLY CERTAIN files avaible to users which
>>> are logged in and qualified for access for the files.
>>>
>>> For example: user john does logged in using apache auth scheme
>>> and he is qualified (SOMEHOW. HOW to tell it to apache?)
>>> for access to file2 and files4. After that this user can download them.
>>> Access to all other files gives "forbidden".
>>>
>>> Any idea?
>>>
>> Hi.
>>
>> In function of what criteria is a user qualified or not to access
>> which file ? or in function of what criteria is a file said to be
>> accessible by which users ?
>>
>>
> Well, basically software must open and close access to files, but access
> itself must granted or denied by apache.
> For example:
> 1) apache authorized the user (basic login)
> 2) user does something that makes software set a cookie OR write a
> special file where it is specified what user has access to file
> 3) user is provied with the link and can download the file(s), apache
> control access using cookie (no secure at all) or the file with
> permissions (nice and secure)
>
I am not the ultimate expert, and you may want to wait for someone else
to comment on this, but what you explain above makes me think that
basically, the conditions under which a user gets access or not to a
given file are what I would call "complex and non-standard".
I do not think that you will find a way to do exactly what you want
using just built-in Apache possibilities, and maybe not even standard
Apache add-on modules.
Using my own knowledge (Apache, perl and mod_perl), I would think that
what you need here is a custom-made mod_perl-based "PerlAuthzhandler"
add-on module, which will handle the "authorization" phase of the access
to these URL's according to the precise rules you would specify, and
either allow the user to access the file, or return a forbidden response
(or something nicer). Such a handler could easily and securely handle
authorization based on either a cookie or some file, independently of
the file permissions themselves at the OS level.
I would offer to write it for you in my professional capacity, if you do
not get any better suggestions on this list.
André
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access control to files for logged in users only
using apache
Posted by Artem Kuchin <ma...@itlegion.ru>.
André Warnier пишет:
> Artem Kuchin wrote:
>> Hello!
>>
>> Where is the situation. I have a bunch of files (thousands) in a
>> directory
>> structure which is accessible via direct url.
>>
>> For example:
>>
>> directory:
>>
>> htdata/index.html
>> htdata/files
>> htdata/files/1/file1.dat
>> htdata/files/1/file2.dat
>> htdata/files/2/file3.dat
>> htdata/files/3/file4.dat
>>
>> The poing is to make ONLY CERTAIN files avaible to users which
>> are logged in and qualified for access for the files.
>>
>> For example: user john does logged in using apache auth scheme
>> and he is qualified (SOMEHOW. HOW to tell it to apache?)
>> for access to file2 and files4. After that this user can download them.
>> Access to all other files gives "forbidden".
>>
>> Any idea?
>>
> Hi.
>
> In function of what criteria is a user qualified or not to access
> which file ? or in function of what criteria is a file said to be
> accessible by which users ?
>
>
Well, basically software must open and close access to files, but access
itself must granted or denied by apache.
For example:
1) apache authorized the user (basic login)
2) user does something that makes software set a cookie OR write a
special file where it is specified what user has access to file
3) user is provied with the link and can download the file(s), apache
control access using cookie (no secure at all) or the file with
permissions (nice and secure)
--
Artem
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org