httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James B. Byrne" <byrn...@harte-lyne.ca>
Subject Re: [users@httpd] Apache Directory Level access control
Date Tue, 21 Jan 2014 19:22:07 GMT

On Tue, January 21, 2014 12:39, James B. Byrne wrote:
> CentOS-6.5-i86_64
> httpd-2.2.15 (CentOS)
>
> I have a problem with configuring directory access using groups. We have a
> site with multiple sub-directories. We have several groups defined. We have
> the entire site protected at the root by digest authentication and some of the
> sub-directories protected by:
>
> <Directory /protect/directory/path>
>     Require group xxxxx
> </Directory>
>
> All directives are contained in the virtual web site configuration file.  We
> are not using .htaccess files.
>


The documentation website for Apache-httpd-2.2 says this:

https://httpd.apache.org/docs/2.2/howto/htaccess.html#page-header

When (not) to use .htaccess files

In general, you should only use .htaccess files when you don't have access to
the main server configuration file. There is, for example, a common
misconception that user authentication should always be done in .htaccess
files, and, in more recent years, another misconception that mod_rewrite
directives must go in .htaccess files. This is simply not the case. You can
put user authentication configurations in the main server configuration, and
this is, in fact, the preferred way to do things. Likewise, mod_rewrite
directives work better, in many respects, in the main server configuration.

However, my experience indicates that this statement is simply wrong when it
speaks of authentication in the main configuration file.

Contents of virtual host configuration file:

  <Directory />
    AuthType Digest
    AuthName ca.harte-lyne
    AuthDigestDomain /
    AuthDigestProvider file
    AuthUserFile /etc/httpd/access.d/.htdigest
    AuthGroupFile /var/data/hll_dav/htgroup

    Require all denied
 </Directory>

  <Directory /HLL_Administration/Payroll>
    AuthType Digest
    AuthName ca.harte-lyne
    AuthDigestDomain /HLL_Administration/Payroll
    AuthDigestProvider file
    AuthUserFile /etc/httpd/access.d/.htdigest
    AuthGroupFile /var/data/hll_dav/htgroup

    Require group payroll
  </Directory>

No .htaccess file in directory.

Result, no-one can authenticate.

Contents of virtual host configuration file:

  <Directory />
    AuthType Digest
    AuthName ca.harte-lyne
    AuthDigestDomain /
    AuthDigestProvider file
    AuthUserFile /etc/httpd/access.d/.htdigest
    AuthGroupFile /var/data/hll_dav/htgroup

    Require all denied
 </Directory>

  <Directory /HLL_Administration/Payroll>
  </Directory>

With .htaccess file containing:
<---
    AuthType Digest
    AuthName ca.harte-lyne
    AuthDigestDomain /HLL_Administration/Payroll
    AuthDigestProvider file
    AuthUserFile /etc/httpd/access.d/.htdigest
    AuthGroupFile /var/data/hll_dav/htgroup

    Require group payroll
--->

And authentication works as expected. Users in the payroll group can
authenticate and users outside the payroll group cannot.



-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message