httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 52892] New: Require expr and %{REMOTE_USER}
Date Mon, 12 Mar 2012 21:03:23 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=52892

             Bug #: 52892
           Summary: Require expr and %{REMOTE_USER}
           Product: Apache httpd-2
           Version: 2.4.1
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: registration@blackdot.be
    Classification: Unclassified


(May have mislabled the compenent, not sure if it is in authn_core or
authz_core)

What I'm trying to do:
|                <RequireAll>
|                        Require ssl-verify-client
|                        Require valid-user
|                        Require expr ( \
|                                        (%{SSL_CLIENT_S_DN_O} == "Company") &&
\
|                                        (%{SSL_CLIENT_S_DN_OU} == "Staff") &&
\
|                                        (%{REMOTE_USER} ==
%{SSL_CLIENT_S_DN_CN}) \
|                                     )
|                </RequireAll>

Need valid Client Cert + Login, login needs to be the CN of the certificate.

What I expect to happen: this should work
What I see: %{REMOTE_USER} is empty!
> The expression parser provides a number of variables of the form %{HTTP_HOST}. Note that
the value of a variable may depend on the phase of the request processing in which it is evaluated.
For example, an expression used in an <If > directive is evaluated before authentication
is done. Therefore, %{REMOTE_USER} will not be set in this case.

It's noted in the docs it can be empty... however:
| Require user hardcodeduser

Works fine... the information seems to be available at this stage.
So why isn't it exported.

For Comepleteness:
I also tried "Require user %{SSL_CLIENT_S_DN_CN}" but that didn't work... I
wasn't expecting it to work though.

I don't think what I'm trying to do is unreasonable, if there is a way to do
it, it would be awesome.

Hopefully this is really a bug and not a limitation!

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message