forrest-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "E.L." <elev...@yahoo.com>
Subject Re: htaccess
Date Tue, 06 Apr 2004 23:31:15 GMT
David,

> Dave has shown you the way to copy pre-prepared files over.
> FOR-109 is an idea about automatically generating them, which would
> be a grand feature enhancement. Bear in mind that that capability
> would need to be optional, because not everyone uses such
> Apache-HTTPd-like methods as their web server.
> 
> If you have any ideas in that department then we would be glad to hear.

Here is my idea.  Ok - so keeping in mind that I'm a forrest newbee (and I'm talking from
a
pragmatic operational point of view (hopefully) - here are my 2 cents:

For this functionality (focusing purely on providing an access control mechanism that uses
Apache
web server):
In some overall properties file (?forrest.properties?):
- user needs to specify web server (right now - only apache will work), so something like:
web.server=apache
- If it is apache (or any other server I suppose) - user would need to specify the file name
that
web serve recognizes as a directive file.  In apache (by default) - the file is .htaccess,
however
- it can be anything (changed via Apache's httpd.conf).  So the next overall property would
specify this:

web.server.directive.file.name = .htaccess

I believe that the above should be explicitly stated in forrest, rather than assume a default.

Now as to the name of this property - it probably needs to be something more general (I don't
know
if IIS for example has a file that specifies directives, or separate files for directives,
as
opposed to access control - in Apache - its all in one file).  Alternatively, this can be
an
access control property only - i.e.:
web.server.access.control.file.name = .htaccess

Restricting access to a particular part of a site involves 2 things:  the password file (this
is
usually in user's home directory and not part of web directories served by the web server)
and the
.htacess file for a particular directory that needs to be restricted.

Examples:

password file:
jsmith:IlH5ttPHI23NJI
bob_jones:JKWELL008

.htaccess file:
AuthType Basic
AuthName "Password Required"
AuthUserFile /home/foouser/passwords/password.file
AuthGroupFile /home/foouser/passwords/group.file
Require group admins
Require user jsmith

Personally - I don't use the group password file.  In any case - one thing to keep in mind
is that
absolute path needs to be supplied to AuthUserFile and AuthGroupFile (if that exists). 
Furthermore, different password files can be used for different directories.

So - a possible approach to specify the above:

In site.xml:
Have something similar to the external links type of structure that allows user to specify
different password files (it doesn't matter if its group or user).  Also - have the same thing
for
users and groups (for those that are used through many different .htaccess files.  So it would
be
something like:
  <external-apache-security>
    <xml.apache.org href="http://xml.apache.org/">
       <admingroup secref="admins">
	??stating group name as being called admins
	</admingroup>
	<totalsitepasswdfile secref="globalpasswdfile">
	???stating absolute path including file name of a password file (can be group or user - doesn't
matter)
	</totalsitepasswdfile>
    </xml.apache.org>
  </  <external-apache-security>
>

Then in content directory have something like security.xml where .htaccess information is
describe.  Apache directives could be used to create xml tags:
<authtype>Basic</authtype>
<authname>"Password Required"</authname>
<authuserfile> /home/foouser/passwords/password.file</authuserfile>
<authgroupfile> /home/foouser/passwords/group.file</authgroupfile>
<require>
	<group>admins</group>
	<user>jsmith</user>
</require>

For above - you could use those external references instead of direct names.

The above would generate an .htaccess file (same data as in .htacess file shown above)for
the
content directory its in.  The security.xml (validation wise) would require authtype, authname,
authuserfile, authgroupfile, and one <group> or <user> or both.  One more thing
is that if the
user doesn't want a groupfile - then they still need to have this field and put a /dev/null
(forcing a good security practice).


Things to note:  I don't think that the other Require directive are needed at this stage.

Is this at all helpful to build this feature?

EL

PS:  Relevent info:
http://httpd.apache.org/docs/howto/htaccess.html
http://httpd.apache.org/docs/howto/auth.html
http://httpd.apache.org/docs/mod/core.html#require


__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/

Mime
View raw message