Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
477 views
in Technique[技术] by (71.8m points)

configuration - Apache permissions based on querystring

I have an apache server where authentication is required, but there are some calls that need to be allowed for all.

On off these calls is based on a query string for example:

/foo/api.php?Token=123&Task=DoStuff&Result=json

I taught that with a LocationMatch that this would have workd so i worked out this configuration:

<LocationMatch ^/foo/api.php?.*(Task=DoStuff).*>
    Order Allow,Deny
    Allow from All
</LocationMatch>

But this doesn't let me pass the authentication (meaning i get a 401). If I just filter ^/foo/api.php I get passed the authentication, but this isn't strict enough.

Anyone has any idea how to configure this to check the Task parameter in the querystring?

For authentication we are using kerberos, this is forced on the whole site This is our conf for kerb

LoadModule auth_kerb_module modules/mod_auth_kerb.so

<Directory /var/www/html>
  Options FollowSymLinks
  AllowOverride All
  AuthType Kerberos
  Require valid-user
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd on
  KrbAuthRealms FOO.LOCAL
  KrbServiceName HTTP/server.foo.local@foo.LOCAL
  Krb5KeyTab /etc/httpd/conf/http.keytab
  Satisfy Any
  Order deny,allow
  Deny from all
  Allow from 192.168.72.90
  Allow from 192.168.72.91
  Allow from 192.168.72.94
  Allow from 192.168.72.95
  Allow from 127.0.0.1
</Directory>
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

As you can read here:

The <Location>, <LocationMatch>, <Directory> and <DirectoryMatch> Apache directives allow us to apply authentication/authorization to specific patterns of resources with a high degree of specificity, but do not give us that control down to the query-string level.

Therefore, you have to use mod_rewrite to achieve you goal.
For example:

RewriteEngine on
RewriteCond %{QUERY_STRING} Task=DoStuff
RewriteRule ^/foo/api.php - [E=no_auth_required:1]

<LocationMatch ^/foo/api.php>
      Order allow,deny
      Allow from env=no_auth_required
      AuthType Basic
      AuthName "Login Required"
      AuthUserFile /var/www/foo/.htpasswd
      require valid-user
      Satisfy Any
</LocationMatch>

UPDATE

You've stated that:

If I just filter ^/foo/api.php I get passed the authentication, but this isn't strict enough.

Then, try adding the following rows to your configuration:

RewriteEngine on
RewriteCond %{QUERY_STRING} Task=DoStuff
RewriteRule ^/foo/api.php - [E=no_auth_required:1]

<LocationMatch ^/foo/api.php>
      Order allow,deny
      Allow from env=no_auth_required
</LocationMatch>

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...