Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: pass (nike.apache.org: domain of donovant@bellatlantic.net
 designates 206.46.173.7 as permitted sender)
Message-id: <49A54573.6010004@bellatlantic.net>
Date: Wed, 25 Feb 2009 08:19:47 -0500
From: Tom Donovan <donovant@bellatlantic.net>
Reply-to: Tom.Donovan@acm.org
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-version: 1.0
To: users@httpd.apache.org
References: <49A3E0CA.5080905@rs-labs.com>
In-reply-to: <49A3E0CA.5080905@rs-labs.com>
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Content-transfer-encoding: 7bit
Subject: Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based on
 path value stored in mysql table

Roman Medina-Heigl Hernandez wrote:
> Hello,
> 
> I'm working on an ISP/Hosting environment and I'm having trouble to figure
> out how to solve a problem which (I think) involves mixing several
> modules/concepts:
> - pages should be protected with basic-auth where user database should
> reside on MySQL (mod_authn_dbd). The mysql table basically contains 3
> fields: user, password and path
> - pages should be rewritten (mod_rewrite) based on authenticated user *and*
> the path associated to that user.
> 
> So for instance, accesing to http://isp/stats/ should:
> 1.- Ask for user/pass
> 2.- If the user exists in MySQL table (and password is ok), the path
> (associated to that user) should be retrieved from the same table. Let's
> say we have user "Tom" with path "/home/Tom".
> 3.- Finally Apache should serve /home/Tom/stats/.
> 
> Is this achievable?
> 
It may not be possible to do what you want.  Apache locates the file to serve before deciding 
whether to prompt for authentication.

For example: even if authentication is required for /home - there may be "Satisfy Any" and "Allow 
from all" directives for /home/Mary.  If the "AllowOverride AuthConfig" directive is specified - 
there might be a .htaccess file in /home/Mary which prevents authentication from being needed.

In either case, access to /home/Mary doesn't require authentication, and shouldn't prompt for it.

This is why the steps are:
1.) determine the file Apache should serve
2.) decide if authentication is needed for this file, based on its directory or parent directories, 
or directives contained in <Location>, <Files>, .htaccess, etc.
3.) prompt for authentication only if it is needed

It's a catch-22 to require the results of authentication to determine which file to serve.

You might say "I don't do any of those things which prevent authentication" - but it is not easy for 
Apache to consider in advance all the possibilities that "http://isp/stats/ " might get re-written 
to, and then check that there are none of "those things" for any of them before prompting a user for 
authentication.

-tom-


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org