httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <>
Subject Re: Authentication API
Date Wed, 17 Jul 1996 21:21:12 GMT
On Wed, 17 Jul 1996, Robert S. Thau wrote:

> Actually, I'm not sure the problems of uploading .htaccess files are
> all that much worse than the problems of uploading anything else
> (though there is the awkward problem of managing auxiliary files such
> as .htaccess and .htpasswd in addition).  In each case, you have to
> verify that this *particular* client has the right to update the
> server's contents.  (The main problem is that it doesn't fit terribly
> well with our current access control model --- one possibility is to
> have the script under its own access control rules, and have a rules
> database which would allow the config script to determine whether a
> particular REMOTE_USER was authorized to update the configuration of a
> particular <Directory> or <Location> --- FWIW, Location might well be
> a better way to do it). 

On an only-slightly-related note, there's a functionality missing from
Apache, and that's the ability to control access to a single file or group
of files that aren't a directory. <Location> does let you do it, but it's
not the most ideal solution, and doesn't work from .htaccess files. What
I'd like to do (I just need time to write it) is to steal the Netscape
Server <Files> directive. i.e. you could put in (this is an actual example
that someone wanted):

<Files /*/.htpass>
deny from all

Or you could put into an .htaccess file:

<Files protected.html>
require user foo

You could even do what (I think it was) Ben wanted:

<Files *.html.gz>
SetHandler uncompress-file
Action uncompress-file /cgi-bin/uncompress

I'll try and work up a patch soonish. Shouldn't be that hard. The
server-config version can work just like <Directory>, just don't add the
slash. The .htaccess version is harder. I think it would be intepreted,
rather than "compiled" (as <Directory> and <Location> are); when it hits a
"<Files>", it checks to see if it matches the currently requested file
(by the time .htaccess files are processed, you should know the filename
- though you'd have to hack the core to get at it: add a pointer to the
request_rec from cmd_parms), if so, process what's inside, otherwise just
ignore it.

You'd have to disable the .htaccess cache, though. Hmm. Thoughts?

-- Alexei Kosut <>            The Apache HTTP Server

View raw message