i have a basic auth protected directory with :
AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
require valid-user
every thing is ok and directories are not visible , and force to login ,
but .txt files are visible directly in any browsers ,
i checked in every browser and its not some login remember problem
example :
test.com/password-dir/
is no visible
but
test.com/password-dir/1.txt
is visible
For every one who come here from google , or Other search mechanisms
I Finally Found The Problem and Fixed it .
When You are Using Curl
Its very strange on litespeed server with cache enabled , when you Request a Url with Authentication data ( user and password ) , even if you dont send Authentication data again , Server will always respond to you request .
in my case :
test/1.txt
was opened one time with auth data and responded to me , because of this , server always responded well even if im not sending auth data.
but when CURL request to another url link like:
test/2.txt
authentication data needed ;
so authentication doesnt have problem and worked well . it was just caching mechanism that let me visit/request the file again without auth data.
Related
I created an application witch will be used into domain and I must to make the authentification using user credentials. The user must not enter his credentials manualy. I must somehow to take the username from the target and then to check in Active Directory and then login.
Searching over internet I found that I must to configure the Apache server
I tried installing the mod_authnz_sspi and then in httpd.conf entering current settings
<LocationMatch ^/$>
AuthName "intranet"
AuthType SSPI
SSPIDomain xxx.xxx.xxx.xxx
SSPIAuth on
SSPIOfferSSPI on
SSPIAuthoritative on
require valid-user
SSPIUsernameCase lower
</LocationMatch>
But in the browser appear to enter the username and password witch I don't want that
I also tried installing mod_authn_ntlm but I don't succeded
Can somebody know how to do it? thanks!
You're on the right track using mod_authnz_sspi. Does it work if you type in the username and password? If so, then your server configuration is done.
To make the browser automatically send the credentials of the currently logged on user, the browser needs to trust the website. For IE and Chrome, you must add the website to the Trusted Sites or Intranet Sites in the Internet Options.
Firefox uses its own setting called network.negotiate-auth.trusted-uris, which is a list of sites it trusts for authentication.
My experience with Shibboleth is limited and I have no access to configuration or logs on the IdP or the SP. I am trying to troubleshoot this issue:
Previous Shibboleth session is still active on the client workstation. When attempting to access document protected by the following .htaccess configuration:
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
The client (occasionally) receives the following error message:
Authorization Failed
Based on the information provided to this application about you, you are not authorized to access the resource at "http://myresourcepath"
Please contact the administrator of this service or application if you believe this to be an error
In troubleshooting, I changed .htaccess from
require valid-user
to:
require shib-session
I thought the issue might be the deprecated parameter- but after changing, I was still receiving the authorization failed message. The only way to successfully authorize is to clear the browser cache, revisit the page which then it prompts for authentication, and then authorization passes its check and you hit the page successfully with no error.
What complicates matters even more, is, when .htaccess is set to:
require shib-session
The authorization error message persists even after clearing the cache and re-authenticating. I had to change .htaccess back to
require valid-user
I dont know what could cause the random authorization issue, if the session wasn't valid, the user would get directed to the idp for login, correct? Thats Shibboleth's design. So, the session has to be valid- but why does it not recognize the user as authorized for that resource?
Additionally:
after I received the message and googled quickly, it seems like a stock response from the idp:
https://technical.bestgrid.org/index.php/Vladimir's_general_Shiboleth_notes
says:
This specific example asks for the user variable to be set to any value - and any Shibboleth attribute can be used with the variable name it is assigned to in the Attribute Acceptance policy (AAP.xml). For more syntax on using the require directive, see the examples in the SP htaccess documentation on specific features implemented for the Apache require directive.
Users who do not have the attribute (or do not provide it), get the following error message (with the Shibboleth logo). .... is same message....
This form of control however may not be that user friendly - user would have to know to go either use Autograph to allow the release of the attribute, or talk to their IdP administrator to configure the attributes on the IdP.
Also note that this does not work with lazy sessions - in which case one immediately gets the same error message.
Further, note that care must be taken with overlapping access control blocks. These should be listed from the most-generic ("/") to the most specific (as "/secure" in the above example). Otherwise, the more relaxed settings on the generic one would override the more stringent settings on the specific one.
What is the purpose of the AuthName directive used within the <Directory></Directory> tag of the httpd.conf file?
AuthName is used when using authentication with Apache. As the documentation says:
The AuthName directive sets the Realm to be used in the
authentication. The realm serves two major functions. First, the
client often presents this information to the user as part of the
password dialog box. Second, it is used by the client to determine
what password to send for a given authenticated area.
In the picture below (from HeliconTech Blog), the AuthName has been set to "secret area".
Might there be a way to set one's .htaccess file to prompt for authentication each time? Example: I open a browser tab, go to the pw protected url, I'm prompted for a pw. Close the tab (main browser still open) and repeat the above and be prompted for the pw again. This is not happening unless I close the browser. Maybe this is a caching thing?
Here's what I have so far:
AuthType Basic
AuthName "myName"
AuthUserFile "/home/myDir/.htpasswds/public_html/myName/passwd"
require valid-user
Thanks in advance.
Actually it is working this way (simplified):
browser sends request to your server without credentials
Apache responses with 403 error because "require valid-user" was specified
browser prompts for username & password
browser sends request again, this time credentials are provided
Apache verifies credentials against AuthUserFile and sets "valid-user" accordingly
if everything is OK - puts out data with 200 status code
browser that receives 200 code caches used credentials for the relevant domain until browser session expires
As you see - problem lays in browser. You cannot force browser to forget password it uses for a domain. And usually you don't want to - for example if password protected page contains images - browser would require username and password for each downloaded image.
However there are some tips you could try:
you could write your own Apache authorization handler that only authorises user every second time it is accessing the page; but it's hard to do really
you could use some kind of form-based authentication (in script like php or asp.net) instead of relying on http authentication; this way is quite flexible
you could do a trick, that every time a protected page is accessed some kind of script changes the password in passwd file; then provide two passwords for each user and switch them on each request; this way browser always remember "wrong" password; it seems crazy but this is an easiest solution I could think of :-)
I'm using Apache "Auth" security to limit access to my web site (via commands in the .htaccess file, an .htpasswd file, etc).
Is there a way to de-authorize a user via my PHP script, effectively giving them a way to log out?
With that type of authentication, the username and password are actually send by the browser on every subsequent request. As there's no way to tell a browser "hey, stop sending those", there is no way to do what you're trying to do.
(If, however, you had a PHP script involved that was handling part of the authentication, you could set a session variable for flagging to ignore the valid authentication and pretend the user is logged out.)
However, in terms of a good solution, there is not one. The user will stay logged in until his or her browser decides to stop sending the headers (usually when the browser is closed).
<?
// this PHP will cause a logout event, and give the login prompt again
$AuthName='WHAT-EVER'; // must match AuthName in .htaccess.
header('HTTP/1.0 401 Unauthorized');
header('Content-type: text/html');
header('WWW-Authenticate: Basic realm="'.$AuthName.'"');
// now redirect them when they click cancel
// should be to a page with no password required.
// use an HTML meta redirect instead of HTTP
// so it runs after the auth is cancelled.
?>
<html><head><meta http-equiv='refresh' content='0;../'></head></html>
Is this what you're looking for?
http://www.php.net/manual/en/features.http-auth.php#99348