I have a CakePHP Application which I want to protect with a password. The tricky thing is, that all files/locations should be only accessible with a password EXCEPT one specific Address (a function withing a CakePHP-controller)
The Address is like that:
http://example.com/MyApp/MyController/MyFunction?MyParam=MyValue
All other locations should be only accessible with a password
http://example.com/MyApp/MyController/MyOtherFunction
http://example.com/MyApp/MyController/MyOtherFunction
http://example.com/MyApp/MyOtherController/MyOtherFunction
Well, I tried it first in the root .htaccess-File, but the whole rewrite-thing of CakePHP makes it very difficult and in .htaccess-Files are no <LocationMatch> directive allowed. So I tried it with <FilesMatch>, but the real File is always the same: index.php. mod_rewrite rewrites all Addresses to
http://example.com/MyApp/app/webroot/index.php?url=$1
In the next step I tried it in the apache-configuration and put there this section
<LocationMatch ^/MyApp/MyController/MyFunction.*>
AuthType Basic
AuthName "Secure Area"
AuthUserFile /path/to/.htpasswd
Require user MyUser
</LocationMatch>
Well the regex matched, but it was the wrong way. It protects MyFunction but not the rest.
Are you using .htpasswd? You might be better using Cake Auth, then you can do this in the appropriate controller:
function beforeFilter() {
$this->Auth->allow('MyFunction');
}
Related
How would I go about creating a link that contains confidential information specific to the user and when clicked, it would open up a tab that requires authorization in order to access the information.
I've been given advice to use Apache and Drupal but I'm not sure how to start things. Any form of advice would be GREATLY appreciated.
You can use Shield module of Drupal for your purpose.
OR
You should be able to do this using the combination of mod_env and the Satisfy any directive. You can use SetEnvIf to check against the Request_URI, even if it's not a physical path. You can then check if the variable is set in an Allow statement. So either you need to log in with password, or the allows you in without password:
//Do the regex check against the URI here, if match, set the "require_auth" var
SetEnvIf Request_URI ^/your/url require_auth=true
// Auth stuff
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic
//Setup a deny/allow
Order Deny,Allow
//Deny from everyone
Deny from all
//except if either of these are satisfied
Satisfy any
1. a valid authenticated user
Require valid-user
or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
I'm trying to place an entire directory behind Apache Authentication on an IBMi AS/400 V7R2. I need to specify credentials which have no relationship with the AS/400 other than the fact they are defined in a file on the IFS. I'm new to the IBMi world and am unsure where Apache was installed. I know I need to include a handful of Apache modules, but don't know where those are. I also do not know where I can find the htpasswd.exe equivalent so I was going to be hopeful and use http://www.htaccesstools.com/htpasswd-generator-windows/. The file which contains the credentials must have the password encrypted as well. I've tried various strings in a which command in PASE with no luck.
I've also seen two different ways to include the password file (PasswdFile and AuthUserFile) but can't find the difference. My assumption is that PasswdFile is used for actual IBMi system users and AuthUserFile is meant to be used with a .htpasswd.exe generated file for arbitrary users.
Code Examples I've tried:
<Directory "/path/to/secure/directory">
PasswdFile /path/to/.htpasswd
AuthType Basic
AuthName "To access the requested page, please enter your login credentials."
AllowOverride AuthConfig Options
Options Indexes
Require valid-user
</Directory>
OR
<Directory "/path/to/secure/directory">
AuthType Basic
AuthName "Secure Login"
AuthUserFile /path/to/.htpasswd
Require valid-user
</Directory>
The modules I was going to include to cover all of my bases until it was working include:
mod_access.so
mod_auth.so
mod_auth_anon.so
mod_auth_dbm.so
mod_auth_digest.so
Has anyone done this before, or knows how to do this on IBMi and can lend some guidance? Most articles specific to Apache for IBMi usually explain how to authenticate against existing IBMi users and then everything for .htpasswd base authentication is not specific to IBMi, so I don't know if Apache for IBMi is different in this case or if I'm doing something wrong.
Hope this works.
I would say you're stuck using either the system user ids and password or validation lists. check out this link:
http://www-01.ibm.com/software/webservers/httpservers/doc/v4r4/wmg/RZAG2M07.HTM#HDRPASSWDF
I've been searching for a while now and there must be a simple answer for this. I want to apply a password authorization in my htaccess file, but only for the top url of my site. So for example, I'd like for a password prompt to appear if you access the url "mydomain.com", but not to appear for the url "mydomain.com/articles" (and I'm talking specifically about a url, not a server directory location). Is this possible? I know how to password protect the entire site, with the code below:
AuthType Basic
AuthName "restricted area"
AuthUserFile "/home/passwords/.htpasswd-file"
Require valid-user
...which works for me. I'm just not sure how to adjust this so that the password prompt only appears on the very top url of the site.
Edit: To clarify, I'm not talking about subdirectory access, but URL access. The url "mydomain.com/articles" I think is a rewritten URL from Magento, there isn't an "articles" directory on my site.
Edit 2: Also to clarify a bit more, I can't do a FilesMatch on the index.php file of the site, because it seems Magento the index.php is used for serving all of the urls on the site (so if I password protect index.php, the whole site is inaccessible).
I am working on windows and for now I have Http Basic authentication with following .htaccess file:
AuthName "Restricted Area"
AuthType Basic
AuthUserFile D:\\some\\windows\\path/.htpasswd
require valid-user
and following .htpasswd file for user "test" with password "test" (created using http://www.htaccesstools.com/htpasswd-generator-windows/):
test:$apr1$EUhLJ8Ye$LpBIbzDcBXY.80pH53oN2/
This works, I am able to enter correct username and password and I gain access.
But as I am not using SSL I would like to use Digest authentication (to avoid sending password in plain text to server). I changed line AuthType Basic to AuthType Digest but it is not working anymore - even if I am typing correct user and pass I cant gain access.
Probably I should encrypt/hash password in .htpasswd using different algorithm but I cant find it...
If you want to use digest authentication, you'll have to create new password files. Those for digest auth will have a slightly different format that that used for basic auth. Typically, apache comes with tools for doing this.
Look out for the command line programs "htpasswd.exe" and "htdigest.exe". You need to use the second one for generating password files for digest auth. Use it like this:
c:\path\to\htdigest.exe -c c:\some\windows\path.htpasswd_digest realm username
You'll only need "-c" the first time you issue the command, if you only add new users to an existing file, it's like:
c:\path\to\htdigest.exe c:\some\windows\path.htpasswd_digest realm another_username
"realm" should be the same value you used in your apache config for AuthName.
Oh, and obviously, don't forget to update AuthUserFile in your apache configuration...
I have a domain that will be accessed by a small, private group of people. So I want to control access via authentication.
The domain has a collection of applications installed that each have their own sub-domain. Eg: domain.com, app1.domain.com, app2.domain.com, app3.domain.com
I'd love to have a single sign-on solution so they don't have to authenticate themselves for each application. Also, the applications are written in different languages (PHP, Python and Perl) so authenticating users through an Apache module is ideal.
I am new to digest authentication, but it seems like a good solution. I have used htdigest to create my users. I have configured my domain and sub-domains (See below).
If I go to the domain or any of the sub-domains it will prompt for a username and password. If I enter a correct username and password, it will authenticate me and the page will load. However, if I go to another sub-domain, it will ask for me to enter a username and password again. If I enter the same username and password, it will work.
So the password file is OK, and authentication is OK, but the problem seems to lie in the configuration of the AuthDigestDomain.
I have searched all over the net to find an example of using Digest authentication on multiple domains, but I cannot find a specific example that solves my problem.
I am hoping someone here can assist. Do I put the same authentication information in every Directory? Should I be using Directory or Location or Files? Have I missed something all-together?
Thanks in advance!
Below is an example of my Apache config for domain.com:
<Directory /var/www>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
And here is an example of app1.domain.com:
<Directory /var/lib/app1>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
To baffle things even further, this works when using IE6, but not Firefox or Chrome. Is it the clients not sending the authentication properly, or is is the server not sending the correct credentials?
I have also been reading up on RFC 2617 and written the authentication headers using PHP to ensure that the request/response challenge is correct. This hasn't helped at all!
Most browsers do not respect the Digest "domain" directive and will not resend credentials for other URIs. As far as I know, Opera is the only browser that honors it.
For Opera, the server(s) must respond with the same "realm" string for each URI in the domain list. In other words, if domain="/test /example", the server needs to send "Test Realm - example.com" in the WWW-Authenticate header for both of those URIs. I assume Opera does this because it stores H(A1) instead of the actual password for security. Read into RFC2617 for more on this.
Here's my cross-browser solution to this problem: http://travisce.com/arest/
I have no experience with something like this myself. But I just took a look at the Apache documentation and found this:
The AuthDigestNonceLifetime directive
controls how long the server nonce is
valid. [...] If seconds is less than 0
then the nonce never expires.
So it seems to me that 0 seconds (the value you are using) is either illegal or really tells Apache to expire the nonce after 0 seconds which would exactly explain the behavior you are geting.
Could a wildcard on the AuthDigestDomain help?
*.domain.com