I'm developing a client-server application with WebDAV functionality. Apache2 is used as webserver, a Windows Phone application as client. I'm working with classifications: TOPSECRET - SECRET - CONFIDENTIAL - PUBLIC.
TOPSECRET: SSL mutual authentication + password/username
SECRET: SSL mutual authentication
CONFIDENTIAL: password/username
PUBLIC: no authentication (but SSL is required)
So far, it's working with this configuration in Apache2: the user must choose at which level he wants to authenticate and he will be directed to the correct folder.
#For webdav configuration
Alias /public /home/bram/Desktop/webdav/public
Alias /confidential /home/bram/Desktop/webdav/confidential
Alias /secret /home/bram/Desktop/webdav/secret
Alias /topsecret /home/bram/Desktop/webdav/topsecret
<Location /public>
#no authentication required
DAV On
Satisfy Any
Allow from all
SSLVerifyClient none
</Location>
<Location /confidential>
#only username-password authentication
DAV On
Satisfy Any
Allow from all
SSLVerifyClient none
AuthType Digest
AuthName "DavCompany
AuthUserFile /home/bram/Desktop/password/digest-password
Require valid-user
</Location>
<Location /secret>
#only strong/device authentication (mutual SSL)
DAV On
Satisfy Any
Allow from all
SSLVerifyClient require
SSLVerifyDepth 3
</Location>
<Location /topsecret>
#Device + username-password authentication
DAV On
Satisfy Any
Allow from all
AuthType Digest
AuthName "DavTopsecret"
AuthUserFile /home/bram/Desktop/password/digest-password
Require valid-user
SSLVerifyClient require
SSLVerifyDepth 3
</Location>
My problem: When authenticated in TOPSECRET, the user also has to see the folders SECRET, CONFIDENTIAL end PUBLIC. When authenticated in CONFIDENTIAL or SECRET, the user has to see the folder PUBLIC. I'm not familiar with Apache2.
Has anybody a suggestion to make this work?
This is a tough one. I'd have to experiment to find the answer, but I think you want to try to avoid mixing authorization mechanisms in Apache (you're using SSL's builtins, along with Apache's core mechanisms). You may, also, need this to be more hierarchical.
This perhaps isn't the complete answer, but it should be a starting point. Try setting your "base" permissions in the <VirtualHost> you're working with and vary the Locations within scope:
<VirtualHost *:443>
# other VirtualHost configurations
# ....
SSLVerifyClient optional
SSLVerifyDepth 3
Require ssl
Satisfy all
<Location /confidential>
AuthType digest
AuthName "DavCompany"
AuthUserFile /home/bram/Desktop/password/digest-password
Require valid-user
</Location>
<Location /secret>
Require ssl-verify-client
</Location>
<Location /topsecret>
AuthType Digest
AuthName "DavTopsecret"
AuthUserFile /home/bram/Desktop/password/digest-password
Require ssl-verify-client
Require valid-user
</Location>
</VirtualHost>
I'm sure the above isn't perfect, but I think it is along the right lines for what you're trying to accomplish. I haven't run this through Apache, so it is possible there are mistakes above, but I believe it is roughly accurate.
The idea of what I've done above is to try to keep the overall authorization plan within the same scope. From there, the "tighter" scopes are applied for their specific locations. I do think there is a problem in that the user files are separate, and the AuthName are different for confidential and topsecret. I think, as it is, users with topsecret MAY NOT have access to confidential with their credentials if the AuthUserFile isn't the same.
Related
I need to CASsify an application that is not intended to use CAS.
So I installed the Apache mod-auth_cas module and try to "filter" by cas-attribute based on various URLs.
Example:
<Location /index.php/foo>
Authtype CAS
Require cas-attribute "myattribute:content1"
</Location>
<Location /index.php/bar>
Authtype CAS
Require cas-attribute "myattribute:content2"
</Location>
Is this possible?
Thank you in advance.
This filtering doesn't work.
I have 2 virtual hosts under one domain: a.mydomain.com, b.mydomain.com.
And in the global configuration of apache I have the following:
<Directory />
Options FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider file
AuthUserFile /etc/httpd/password_http_auth
Require user mydomain_user
</Directory>
This works well for all the virtual hosts to have basic auth protection. However, I need to enter username and password for a.mydomain.com and b.mydomain after I went to mydomain.com and authenticate there.
So my question is: is there a way to do authentication on mydomain.com only and that user do not need to enter username and password again for all the virtual hosts under this domain?
Thanks advance.
Any configuration done in the httpd.conf or apache2.conf is a global configuration and will apply to all of your configured sites.
To only have it apply to one of the sites. Move the auth configurations to the specific virtual host configuration file
<Directory />
# keep these
Options FollowSymLinks
AllowOverride None
# move these to the vhost configuration you want to protect
AuthType Basic
AuthName "Restricted Area"
AuthBasicProvider file
AuthUserFile /etc/httpd/password_http_auth
Require user mydomain_user
</Directory>
This might be useful for someone:
I have a single virtual host with many aliases. It is a multisite set up with a single source code for multiple websites. I needed a basic authentication for some of the hosts but not for others while the virtual host is common for all the hosts/domains.
Here is ow I did it and it works fine (Apache 2.4 / Ubuntu 18LTS):
SetEnvIf Host "secure\.host\.com" SECURED
SetEnvIfNoCase Request_URI "^/secure-dir/" SECURED
AuthType Basic
AuthName "Basic Auth Message"
AuthUserFile /var/www/public-html/.htpasswd
Require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=SECURED
In the above example I also have a secured directory (line 2) which works with regular expression so it will match with any file in that directory.
On line 1 is the secured host name. Please note the backslash before each dot character!
Add as many lines for hosts or directories as you need.
I have a web application that is being protected by a Shibboleth authentication module. My current config is as below
<Location /MyApp>
AuthType shibboleth
ShibUseHeaders On
ShibRequestSetting requireSession 1
require shibboleth
</Location>
The shibboleth is an authentication module that provides SSO capability and the current flow directs the user to an Identity Provider for the user to enter the login credentials. I want to be able to open up a specific URL so that the URL gets bypassed by the authentication module. I tried the below but it doesn't seem to work and I get a blank page on loading the URL
Method 1
<Location /MyApp/Login.html>
Satisfy Any
Allow from all
AuthType None
Require all granted
</Location>
Method 2
<Location /MyApp/Login.html>
AuthType shibboleth
ShibRequestSetting requireSession 0
require shibboleth
</Location>
I did some additional debugging and it appears that the problem is with additional files the Login.html loads - such as css, js etc. What is the correct way to configure this in Apache so that the Login.html can be bypassed from the authentication
Thanks
My comment towards the end regarding the exclusion of additional files being loaded by Login.html ended up being correct. I used the following format to exclude the files that were being loaded by the html file
<Location ~ "/MyApp/(Login.html|SessionTimeout.html|accessDenied.html|/badRequest.html|status|css/*|login/*|images/*|style/*|js/*|javascript/*|)">
Satisfy Any
Allow from all
AuthType None
Require all granted
</Location>
When using Apache 2.4 instead of 2.2, in order to exclude "/server-status", the following was enough:
<LocationMatch "^(?!/server-status)">
AuthType Basic
AuthUserFile /etc/apache2/.htpasswd
<RequireAll>
Require ssl
Require user valid_user_name
</RequireAll>
</LocationMatch>
Analyzing:
<LocationMatch "regex"> is equivalent to <Location ~ "regex">.
The regex used, is pcre (perl compatible regular expressions).
^(?!/server-status) means:
^: "starts with"
(?!): "negative look ahead (instead of positive (?=))"
I have a cakephp project consisting of website URLs and a URL for an API, say:
http://myproject.com/controller1/someaction
http://myproject.com/controller2/someotheraction
http://myproject.com/api/controller1/someapiaction
For production deployment, the websites and API both handle authentication & authorization using cakephp's methods.
I would like to deploy the whole project on a staging server. There, the websites should be HTTP Auth protected, whilst the API should be unprotected (because I don't want to add auth to the API consumers). I do not want to change the project's sources or configuration and instead solve it via Apache configuration.
I tried several vhost configurations, basically following this scheme:
<LocationMatch "/api/.*">
Order allow,deny
Allow from all
Satisfy any
</LocationMatch>
<Location />
Order allow,deny
Allow from all
AllowOverride all
AuthType Basic
AuthName "myproject"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /path/to/.htgroup
Require group mytesters
</Location>
I also tried mixing Location & Directory directives, using Location or LocationMatch for both sections, negated regex for LocationMatch, separate vhosts for both sections, ... - none of this worked: Either the whole site was protected, or nothing.
Am I getting something really wrong, or is it just not possible (due to Apache or the the way cakephp handles rewrites)?
Try the following configuration:
<Directory /path/to/your/htdocs>
AuthType Basic
AuthName "myproject"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /path/to/.htgroup
Require valid-user
AllowOverride AuthConfig
</Directory>
<Location "/api">
Satisfy any
</Location>
I have trac installed and running great using apache2 and mod_wsgi. However when ever a user tries to access even the front page they are greeted with a login. I've tried several things, but everything I try either disables the authentication all together or won't allow unauthenticated users to view the site. Here's the authentication section of my httpd.conf file:
<Location '/'>
AuthType Basic
AuthName "Trac"
AuthUserFile /home/trac/.htpasswd
Require valid-user
</Location>
I'm almost certain that the solution lies int the require line but I've exhausted my ow creativity. Any thoughts?
EDIT: The answer I selected works great. The link given doesn't have instructions on connecting the password file to the system.
My memory is hazy, but the only solution I found when I had this issue was switching to from Apache authentication to the AccountManagerPlugin.
You can specify when apache should ask about password.
In trac when you select Login it will open site: /trac_folder/login
So defining location for authentication should do the trick.
Check my trac.conf:
WSGIScriptAlias /trac /var/lib/trac/apache/trac.wsgi
## This is required if you plan to use HTTP authorization. Without it the
## user name won't be passed
WSGIPassAuthorization On
<Directory /trac>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
#AuthType Basic
#AuthName "TracHaselko"
#AuthUserFile /var/lib/trac/authfiles/htpasswd
#Require valid-user
</Directory>
<Location /trac/login>
AuthType Basic
AuthName "TracHaslo"
AuthUserFile /var/lib/trac/authfiles/htpasswd
Require valid-user
</Location>
In you file change:
<Location '/'>
to:
<Location '/login'>