forrest-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Crossley <cross...@apache.org>
Subject Re: htaccess
Date Wed, 07 Apr 2004 00:32:56 GMT
E.L. wrote:
> David Crossley wrote:
> > Dave has shown you the way to copy pre-prepared files over.
> > FOR-109 is an idea about automatically generating them, which would
> > be a grand feature enhancement. Bear in mind that that capability
> > would need to be optional, because not everyone uses such
> > Apache-HTTPd-like methods as their web server.
> > 
> > If you have any ideas in that department then we would be glad to hear.
> 
> Here is my idea.  Ok - so keeping in mind that I'm a forrest newbee
> (and I'm talking from a
> pragmatic operational point of view (hopefully) - here are my 2 cents:

You are doing very well for a newbie :-)

> For this functionality (focusing purely on providing an access control
> mechanism that uses Apache web server):
> In some overall properties file (?forrest.properties?):
> - user needs to specify web server (right now - only apache will work),
> so something like:
> web.server=apache
> - If it is apache (or any other server I suppose) - user would need to
> specify the file name that web serve recognizes as a directive file.
> In apache (by default) - the file is .htaccess, however
> - it can be anything (changed via Apache's httpd.conf).
> So the next overall property would specify this:
> 
> web.server.directive.file.name = .htaccess

Yep, without the spaces.

> I believe that the above should be explicitly stated in forrest,
> rather than assume a default. 
> Now as to the name of this property - it probably needs to be something
> more general (I don't know
> if IIS for example has a file that specifies directives, or separate
> files for directives, as
> opposed to access control - in Apache - its all in one file).
> Alternatively, this can be an access control property only - i.e.:
> web.server.access.control.file.name = .htaccess

Yes, probably better to be more general with the names.
We can always change it. This is for forrest-0.6 head
i.e. the development version.

> Restricting access to a particular part of a site involves 2 things:
> the password file (this is usually in user's home directory and not
> part of web directories served by the web server) and the
> .htacess file for a particular directory that needs to be restricted.
> 
> Examples:
> 
> password file:
> jsmith:IlH5ttPHI23NJI
> bob_jones:JKWELL008

Just assume that they know all those things. If not then they
should not be messing with .htaccess files.

> .htaccess file:
> AuthType Basic
> AuthName "Password Required"
> AuthUserFile /home/foouser/passwords/password.file
> AuthGroupFile /home/foouser/passwords/group.file
> Require group admins
> Require user jsmith
> 
> Personally - I don't use the group password file.
> In any case - one thing to keep in mind is that
> absolute path needs to be supplied to AuthUserFile and
> AuthGroupFile (if that exists). 
> Furthermore, different password files can be used for
> different directories.
> 
> So - a possible approach to specify the above:
> 
> In site.xml:
> Have something similar to the external links type of structure
> that allows user to specify different password files (it doesn't
> matter if its group or user).  Also - have the same thing for
> users and groups (for those that are used through many different
> .htaccess files.  So it would be something like:
>   <external-apache-security>
>     <xml.apache.org href="http://xml.apache.org/">
>        <admingroup secref="admins">
> 	??stating group name as being called admins
> 	</admingroup>
> 	<totalsitepasswdfile secref="globalpasswdfile">
> 	???stating absolute path including file name of a password
>         file (can be group or user - doesn't matter)
> 	</totalsitepasswdfile>
>     </xml.apache.org>
>   </  <external-apache-security>

This stuff would not go in site.xml because that is about defining
the linking and navigation stuff. The skinconf.xml might be a better
place.

> Then in content directory have something like security.xml where
> .htaccess information is describe.  Apache directives could be
> used to create xml tags:
> <authtype>Basic</authtype>
> <authname>"Password Required"</authname>
> <authuserfile> /home/foouser/passwords/password.file</authuserfile>
> <authgroupfile> /home/foouser/passwords/group.file</authgroupfile>
> <require>
> 	<group>admins</group>
> 	<user>jsmith</user>
> </require>

Probably call it htaccess.xml ... and it needs a special match in
the sitemap.xmap to deal with the "htaccess' pattern to apply an
htaccess.xsl to generate the output.

> For above - you could use those external references instead of direct names.

I gather that the parameters from the skinconf.xml would be available
in the stylesheet. Look at some of the other stylesheets to see.

> The above would generate an .htaccess file (same data as in .htacess file
> shown above)for the content directory its in.  The security.xml (validation
> wise) would require authtype, authname, authuserfile, authgroupfile, and
> one <group> or <user> or both.

The source file would need a DTD to define that.

> One more thing is that if the user doesn't want a groupfile - then they
> still need to have this field and put a /dev/null
> (forcing a good security practice).
>
> Things to note:  I don't think that the other Require directive are needed
> at this stage.

We do need to look a bit further ahead at this design stage.
For example, there are many other things that can be specified
in the Apache htaccess, e.g. rewrite rules.

> Is this at all helpful to build this feature?
> 
> EL
> 
> PS:  Relevent info:
> http://httpd.apache.org/docs/howto/htaccess.html
> http://httpd.apache.org/docs/howto/auth.html
> http://httpd.apache.org/docs/mod/core.html#require

Yes, it is very helpful to have someone write down all the
steps and get the discussion moving. Please try it out on
your local system.

--David



Mime
View raw message