I'm trying to place an entire directory behind Apache Authentication on an IBMi AS/400 V7R2. I need to specify credentials which have no relationship with the AS/400 other than the fact they are defined in a file on the IFS. I'm new to the IBMi world and am unsure where Apache was installed. I know I need to include a handful of Apache modules, but don't know where those are. I also do not know where I can find the htpasswd.exe equivalent so I was going to be hopeful and use http://www.htaccesstools.com/htpasswd-generator-windows/. The file which contains the credentials must have the password encrypted as well. I've tried various strings in a which command in PASE with no luck.
I've also seen two different ways to include the password file (PasswdFile and AuthUserFile) but can't find the difference. My assumption is that PasswdFile is used for actual IBMi system users and AuthUserFile is meant to be used with a .htpasswd.exe generated file for arbitrary users.
Code Examples I've tried:
<Directory "/path/to/secure/directory">
PasswdFile /path/to/.htpasswd
AuthType Basic
AuthName "To access the requested page, please enter your login credentials."
AllowOverride AuthConfig Options
Options Indexes
Require valid-user
</Directory>
OR
<Directory "/path/to/secure/directory">
AuthType Basic
AuthName "Secure Login"
AuthUserFile /path/to/.htpasswd
Require valid-user
</Directory>
The modules I was going to include to cover all of my bases until it was working include:
mod_access.so
mod_auth.so
mod_auth_anon.so
mod_auth_dbm.so
mod_auth_digest.so
Has anyone done this before, or knows how to do this on IBMi and can lend some guidance? Most articles specific to Apache for IBMi usually explain how to authenticate against existing IBMi users and then everything for .htpasswd base authentication is not specific to IBMi, so I don't know if Apache for IBMi is different in this case or if I'm doing something wrong.
Hope this works.
I would say you're stuck using either the system user ids and password or validation lists. check out this link:
http://www-01.ibm.com/software/webservers/httpservers/doc/v4r4/wmg/RZAG2M07.HTM#HDRPASSWDF
Related
Hi I am new here so little bit hesitating in asking question as i don't know the rules, But i will give a try.
I have successfully password protected a website using .htaccess and .htpasswd,
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/.htpasswd
AuthGroupFile /dev/null
require valid-user
SetEnvIf Request_URI "^/dir1" dir1_uri
SetEnvIf Request_URI "^/dir2" dir2_uri
Order Allow,Deny
Allow from env=dir1_uri
Allow from env=dir2_uri
Satisfy any
As you can see i am allowing access to the dir1 and dir2.
Problem is that when i access the dir1 or dir2 through browser, the Authentication window pop up, this should not happen. Though it open the site when I cancel the pop up and can access the website without any problem. But it always pop up whenever i visit them. I don't know why this is happening.
Please help me.
Finally I able to resolve it and it was due to my own mistake.
By debugging for continuous 6-7 hours I found that the style sheet containing background-url property referencing to images which are in the restrictive directory or not existing are causing to pop up authentication pop up. I fixed them and it is now working.
I have a directory on my website that I need to make sure no one but myself can get into. From the reading I've done, it looks like there are two ways to protect a directory:
Password protect the directory using the .htaccess file
Deny access to all IP addresses but my own from accessing the directory, also using the .htaccess file
I need to protect the files in the directory as securely as possible, so I figured I'd use both of those methods for double protection.
Question 1: Am I missing anything? (i.e. is there another layer of protection I can add?)
Question 2: What would I need to put in a .htaccess file to get the above to work?
Your .htaccess file would contain:
AuthUserFile /usr/local/nate/safe_place/.htpasswd
AuthGroupFile /dev/null
AuthName "Protected Files"
AuthType Basic
require user nate
order deny, allow
deny from all
allow from 127.0.0.1
The .htaccess file goes in the directory you're trying to protect.
You also need a .htpasswd file (shown above as /usr/local/nate/safe_place/.htpasswd) which contains the text username:password_hash. So if we use "nate" as an example and "secret" as the password (please don't use that) you get:
nate:XmN6pwFyy3Il2
You can use this tool to generate your own password file: http://www.tools.dynamicdrive.com/password/
Just make sure that no one can read your .htpasswd file. Also note that basic authentication does no encryption by itself. If you're on an open network, anyone can see your password and all the secret data going over the network. Make sure you visit your site via https if it's really that secret.
You can read more about .htaccess files here:
http://www.javascriptkit.com/howto/htaccess.shtml
Assuming you're running Apache and have an AllowOverride directive permitting .htaccess files to use <Limit>, the following should be a good starting place for you:
<Limit GET>
Order deny,allow
Deny from all
Allow from IP_ADDRESS_HERE
</Limit>
More documentation on <Limit>: http://httpd.apache.org/docs/current/mod/core.html#limit
and for access control: http://httpd.apache.org/docs/2.2/howto/access.html
I have a CakePHP Application which I want to protect with a password. The tricky thing is, that all files/locations should be only accessible with a password EXCEPT one specific Address (a function withing a CakePHP-controller)
The Address is like that:
http://example.com/MyApp/MyController/MyFunction?MyParam=MyValue
All other locations should be only accessible with a password
http://example.com/MyApp/MyController/MyOtherFunction
http://example.com/MyApp/MyController/MyOtherFunction
http://example.com/MyApp/MyOtherController/MyOtherFunction
Well, I tried it first in the root .htaccess-File, but the whole rewrite-thing of CakePHP makes it very difficult and in .htaccess-Files are no <LocationMatch> directive allowed. So I tried it with <FilesMatch>, but the real File is always the same: index.php. mod_rewrite rewrites all Addresses to
http://example.com/MyApp/app/webroot/index.php?url=$1
In the next step I tried it in the apache-configuration and put there this section
<LocationMatch ^/MyApp/MyController/MyFunction.*>
AuthType Basic
AuthName "Secure Area"
AuthUserFile /path/to/.htpasswd
Require user MyUser
</LocationMatch>
Well the regex matched, but it was the wrong way. It protects MyFunction but not the rest.
Are you using .htpasswd? You might be better using Cake Auth, then you can do this in the appropriate controller:
function beforeFilter() {
$this->Auth->allow('MyFunction');
}
I just got Apache/LDAP authentication working (almost) on a new SLES 10 server.
When I visit one of the protected areas on my website I get the Apache Authentication pop-up window where I can LDAP authenticate to gain access to the protected folder.
But I'm getting wierd behaviour.
If I type in a valid user but the incorrect password, it lets me retry authentication.
If I type in a non-valid user (like 'aldfklsf' or even leave the username field blank) then I get an error 500 page and do not get the opportunity to retry authentication.
I have cache disabled... Try to refresh the page to get the Apache authentication window to come back and it doesn't. I just keep getting the error 500 page. Looking in the Apache error logs it says: user aldfklsf not found, every time I refresh the page. It's like it's hanging on to that username.
Is there some setting in Apache that will allow me to attempt to authenticate again?
Here's the entirety of the conf file that is protecting the directory:
<Directory "/media/nss/VOL1/ProtectedDir">
Options Indexes Multiviews
AllowOverride None
Order deny,allow
Allow from all
AuthType Basic
AuthName "Protected"
Require valid-user
AuthBasicAuthoritative Off
AuthzLDAPAuthoritative Off
AuthBasicProvider ldap
AuthLDAPURL ldap://10.20.32.3/o=wlwv?uid?sub
</Directory>
An update. I found this in the Apache documentation:
Under normal circumstances, the Apache
access control modules will pass
unrecognized user IDs on to the next
access control module in line. Only if
the user ID is recognized and the
password is validated (or not) will it
give the usual success or
"authentication failed" messages.
This seems to be the answer. Unfortunately I do not understand Apache enough to take the information from that page and implement it so that it works correctly.
Can anyone help?
Ok, got it figured out. Here is the simple solution in case anyone else has this issue.
Changing:
AuthBasicAuthoritative Off
to
AuthBasicAuthoritative On
was all it took.
I have a domain that will be accessed by a small, private group of people. So I want to control access via authentication.
The domain has a collection of applications installed that each have their own sub-domain. Eg: domain.com, app1.domain.com, app2.domain.com, app3.domain.com
I'd love to have a single sign-on solution so they don't have to authenticate themselves for each application. Also, the applications are written in different languages (PHP, Python and Perl) so authenticating users through an Apache module is ideal.
I am new to digest authentication, but it seems like a good solution. I have used htdigest to create my users. I have configured my domain and sub-domains (See below).
If I go to the domain or any of the sub-domains it will prompt for a username and password. If I enter a correct username and password, it will authenticate me and the page will load. However, if I go to another sub-domain, it will ask for me to enter a username and password again. If I enter the same username and password, it will work.
So the password file is OK, and authentication is OK, but the problem seems to lie in the configuration of the AuthDigestDomain.
I have searched all over the net to find an example of using Digest authentication on multiple domains, but I cannot find a specific example that solves my problem.
I am hoping someone here can assist. Do I put the same authentication information in every Directory? Should I be using Directory or Location or Files? Have I missed something all-together?
Thanks in advance!
Below is an example of my Apache config for domain.com:
<Directory /var/www>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
And here is an example of app1.domain.com:
<Directory /var/lib/app1>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
To baffle things even further, this works when using IE6, but not Firefox or Chrome. Is it the clients not sending the authentication properly, or is is the server not sending the correct credentials?
I have also been reading up on RFC 2617 and written the authentication headers using PHP to ensure that the request/response challenge is correct. This hasn't helped at all!
Most browsers do not respect the Digest "domain" directive and will not resend credentials for other URIs. As far as I know, Opera is the only browser that honors it.
For Opera, the server(s) must respond with the same "realm" string for each URI in the domain list. In other words, if domain="/test /example", the server needs to send "Test Realm - example.com" in the WWW-Authenticate header for both of those URIs. I assume Opera does this because it stores H(A1) instead of the actual password for security. Read into RFC2617 for more on this.
Here's my cross-browser solution to this problem: http://travisce.com/arest/
I have no experience with something like this myself. But I just took a look at the Apache documentation and found this:
The AuthDigestNonceLifetime directive
controls how long the server nonce is
valid. [...] If seconds is less than 0
then the nonce never expires.
So it seems to me that 0 seconds (the value you are using) is either illegal or really tells Apache to expire the nonce after 0 seconds which would exactly explain the behavior you are geting.
Could a wildcard on the AuthDigestDomain help?
*.domain.com