httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 42079] New: - SSLRequire: Additional access in sub-directoies
Date Tue, 10 Apr 2007 14:09:26 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42079>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42079

           Summary: SSLRequire: Additional access in sub-directoies
           Product: Apache httpd-2
           Version: 2.2.4
          Platform: Sun
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: somme@slb.com


Before I have used both LDAP and User/Group files for regulating access in
quite a deep hierarchy of sub-directories. I have had no problems in adding
or removing access in any combination that I want. However, now when I use
SSLRequire (and client certificates) I seem to have no way to *add* access
as I go down in my hierarchy. E.g.

<Directory /htdocs/sub1>
      SSLRequire       %{SSL_CLIENT_S_DN_C} eq "US"
</Directory  

<Directory /htdocs/sub1/sub2>
      SSLRequire       %{SSL_CLIENT_S_DN_C} eq "CA"
</Directory  

A user with a "CA" certificate will not be able to access sub1/sub2/
because he/she has no access in sub1/. I.e you can only *restrict* access
as you go down in the hirarchy, you cannot *add* access.

A similar issue was discussed in bug # 41911.

I will call this a bug. Using LDAP or User/Group files this would be
perfectly OK to access sub1/sub2/ but still have no access in sub1/.

I have seen this problem reported in other mailing lists as well and
one guy suggested to test on REQUEST_URI in addition to the SSL* environment
variables. I tried this, but since the number if subdirectories I have
is so big, the regular expression got too big (the httpd.conf parser could
not parse it).

Any feedback is welcome.
Thanks.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message