httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From matt farey <matt.fa...@gmail.com>
Subject Re: [users@httpd] How to handle nested authorization requirements?
Date Thu, 08 Mar 2007 16:19:12 GMT


Zembower, Kevin wrote:
> I'm having trouble with a 'nested' authorization requirement. Here's
> part of my httpd.conf file:
> cn2:/etc/apache# egrep -v '^[[:space:]]*#|^[[:space:]]*$' httpd.conf
> <snip>
> NameVirtualHost *
> <VirtualHost *>
>      ServerName centernet.jhuccp.org
>      DocumentRoot /var/www/centernet/htdocs
>      <Directory /var/www/centernet/htdocs>
> <snip>
>          AuthType Basic
>          AuthName "JHU/CCP"
>          AuthUserFile /var/www/centernet/users
>          require valid-user
>          satisfy any
>          order deny,allow
>          allow from 10.253.192.192/26 10.253.200.0/24 10.253.201.0/24
> 10.253.202.0/24
>          deny from all
>      </Directory>
> <snip>
>      <Directory /var/www/centernet/htdocs/staffonly>
>         AuthType Basic
>         AuthName "CCP Staff Only"
>         AuthUserFile /var/www/centernet/staffonlylist
>         require valid-user
>      </Directory>
> </VirtualHost>
> <snip>
> cn2:/etc/apache#
>
> In the first part of the centernet VirtualHost section, I restrict users
> to either be in specific IP address ranges, or enter the password in
> /var/www/centernet/users. I want to put an additional restriction on
> viewing the files in /var/www/centernet/htdocs/staffonly/. However, when
> I test this from inside the specified IP address ranges, it never asks
> me to authenticate to view the files in /staffonly/.
>
> How should I change my config file to put additional authorization
> requirements on the /staffonly/ directory?
>
> Thanks in advance for all your help and suggestions.
>   

presumably because your
satisy any
clause means that the user who is attempting to go to the staffonly
directory has satisfied a previous requirement,
so you must override this inheritance with a
satisfy all
command, I guess.
> -Kevin
>
> Kevin Zembower
> Internet Services Group manager
> Center for Communication Programs
> Bloomberg School of Public Health
> Johns Hopkins University
> 111 Market Place, Suite 310
> Baltimore, Maryland  21202
> 410-659-6139 
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>   

-- 
Matthew Farey
Web App Sec.
25 The Polygon, Southampton, Hants, SO15 2BP, UK
Phone +44(0)2380 631449



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message