httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Davies" <bdav...@stickyeyes.com>
Subject [users@httpd] Resource Centric Authz
Date Thu, 26 Mar 2009 11:48:50 GMT
Hi Everybody!

 

I wonder if someone can help me? I'm interested in restricting access to
certain resource based on the following criteria:

 

The users name

Or

 the users group

 

Standard fare so far. I'm using mod_authn_dbd to authenticate the user from
my MySQL database. 

 

For Authorization, I want each resource to have an owner and a group (like
unix/linux), and I want each of these to restrict access based on the http
method used to access the resource. For example; 

 

I have the resource article.html

The owner of this resource is "bob".

The group of this resource is "editors".

The following methods may be used by the owner on this resource: GET, PUT,
DELETE

The following methods may be used by members of the group "editors" on this
resource: GET, PUT

Any user who is not the owner, and not a member of the group "editors" may
use the following methods: GET

 

The closest Authz module I have seen that does this is mod_authz_file which
works based on the files actual POSIX file owner and group details.
Unfortunately, this doesn't restrict access by http method though. Ideally,
I would be able to look up these details from an SQL database by request URI
and request method.

 

Now to my question:

 

Does anyone know if there is a module or combination of modules that could
achieve (or at least part way achieve) this?

Is this (as I fear) a restriction/limit of the Require directive?

 

I could do this in PHP, but I'm attempting to draw a clean line between
Authn/Authz and the resources accessed underneath.

 

Any comments or ideas would be appreciated.

 

Cheers!

 

Ben


Mime
View raw message