I need to find a way to force Apache to ask users for credentials for each ressource they ask for under the root of my website.
This is my .htaccess content at the moment:
<Directory /var/www/vhosts/abcd>
Dav On
AuthType Basic
AuthName "private"
AuthBasicProvider external
AuthExternal auth
require valid-user
</Directory>
(This will call a Php script defined by auth.)
I want the user to authenticate again for each different ressource he might want to get, but keep the authentication alive when he successfully authenticate for a specific ressource.
Maybe I miss something about how I'm supposed to do this in an "Apache logic", anyway, any help will be apreciated !
Thanks.
Edit:
I misunderstood the way Apache authentication worked. I supposed that when someone was authenticated, he didn't need to authenticate again for any ressource under the same directory, but that's not true. If my PHP script use the current URI of the file requested, I can return a different status code depending one the right for someone to access it or not, even if he was granted access to the root for example.
Annoying the user every time he access a different resource is...well...annoying. Rather use an ACL (Access Control List) that your php auth script checks and denies access if the user doesn't have the correct permissions.
You're using basic authentication. So the browser is practically "authenticating again" for every request it makes: it remembers the authentication user/pass you entered end sends it with every request afterwards.
Can you please explain why you would want users to authenticate again and again? It might help us find a solution to your problem...
Related
I want to add a "admin log in" link to my website, where an admin can log in (using htaccess) and gain access to some hidden HTML elements. The idea is to use SSI to check if the REMOTE_USER is an admin,
<!--#if expr="$REMOTE_USER = 'admin'" -->
Edit entry
<!--#endif -->
then, the script edit.cgi also checks that the user is in fact admin, otherwise exiting.
The problem is, how can I do this such that guests don't see the login prompt? My idea was to set up htaccess in some subdirectory (eg ~/admin) and then have a link to a separate login page:
Click here to log in
This works for ~/admin/index.shtml (it "sees" REMOTE_USER=admin), but "outside" admin/ (eg. in ~/index.shtml) REMOTE_USER=(none).
My .htaccess file looks like this.
AuthName "Admin log in"
AuthType Basic
AuthUserFile /path/to/web/admin/.htpasswd
Require valid-user
My website is hosted on a standard web hosting service, so the things I can tweak is somewhat limited...
I have a portal with Login Authentication and after the user login to the website we are providing few links to the HTML files. This works perfect.
My concern is User's are able to access the HTML files without logging to the portal. I will not be able to convert the file to PHP as these files are huge and will be modified and updated regularly.
Please suggest how i can restrict the direct access to the HTML if the user is not logged in.
Tx
Suneel
Use .htaccess file to restrict access and authenticate user, then put your HTML files in subfolder related to location of that .htaccess file (so its restrictions would also apply). For example, you create .htaccess file with content like this:
AuthName "Enter password"
AuthType Basic
AuthUserFile /path-to-folder/.htpasswd
Require valid-user
then you create .htpasswd files which holds logins and password hashes. It will look like this (one line per user):
userlogin:8OytGCYCAPbS6
You can use some online .htpasswd generators like this one
I would like to make it possible to redirect users from a site to my Moodle installation, providing two encrypted parameters in the url. Based on these parameter, Moodle should authenticate the users and grant or refuse access.
Is anyone familiar with this, and can anyone point me in the right direction?
Should I build a new plug-in, modify index.php ? Both ?
Basically the php code to process the GET-parameters is ready, but I don't know how and where to insert it in the Moodle code.
Cheers for helping, much appreciated
Paul
This is a problem solved many times before. The best option for doing it securely is to use one of the existing auth plugins. If the sites are on the same server or you are happy to allow direct database access so that Moodle can read the password hashes from your other site's DB, then you can use db auth, which is simplest. Otherwise, you'll need some sort of cookie based one. I've used CAS authentication before, but shibboleth is also an option. This may seem like overkill, but really, it isn't. Just having auth tokens in the url leaves you open to brute force password-guessing attacks, so the challenge-response mechanism that these plugins provide is very important.
So I have a development site setup running Drupal. I've locked the site down with basic HTTPAuth + htpasswd to keep out baddies.
The problem is that a single node, a webform, needs to be accessible on this dev site from the live site.
My question is: because of Drupal's convoluted bootstrapping process how would I go about allowing access to only this single file/URL?
My vhost config for htpasswd:
<Directory />
AuthUserFile /var/www/.htpasswd
AuthName "my radbad dev site"
AuthType Basic
Require valid-user
</Directory>
I've tried something like the following without success:
<Location "/node/1334">
Allow from all
Satisfy any
</Location>
You can't do it like that, because the webform isn't a file, it's dynamically generated from info you gave Drupal (which it put in the DB). All Drupal URIs (apart from your uploaded files) are index.php sending you to the right place. There's no way to tell httpauth that sometimes index.php may be accessed freely and sometimes it requires auth.
There are several options for controlling access via a Drupal module, or (if your live site is Drupal) you could just give it the same webform, but no amount of tweaking around with httpauth will solve your problem.
<Location>-directives are applied after .htaccess is processed. This means, mod_rewrite already did its thing an the URL is now /index.php?q=node/1334. This is bad, because <Location> cannot be used for configurations based on the query string. See <Location> directive and How the sections are merged for details.
You will have to come up with a totally different solution, like making the Drupal database available under some other URL, that is not accessible from outside.
If you want to go the HTTP authentication route, consider the Secure Site module instead of editing .htaccess and creating a .htpasswd file. That's an error-prone process, while Secure Site gives you a form which you can use to type in a path you want excluded from securing. Even better, it uses the Drupal authentication system, so you can deny/allow people to the site based on Drupal roles and permissions.
I'm using HTTP Basic Authentication with AJAX requests. Firefox 3 is a whiner and always displays a dialog box for failed credentials -- even though I don't want one.
This question summarizes some of the browser and JS issues; you'll notice it's unresolved on the client side. Luckily, I have at least some freedom to change the server -- I can modify my .htaccess file.
Basically, whenever Firefox sees the WWW-Authenticate header, it tries to authenticate again. Can I suppress that header only for AJAX requests by modifying my .htaccess file? If so, how? I can pass a custom header in my XHR request if necessary.
Here's what it looks like currently:
AuthType Basic
AuthUserFile /www/private/.htpasswd
AuthName "Private Collection"
require valid-user
I faced a similar problem that I solved through a proxy written in nodejs.
Perhaps this can help you: Write proxy/wrapper class for own service in jersey