Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
menu search
person
editAsk a Question
Welcome To Ask or Share your Answers For Others

Categories

configuration - Apache permissions based on querystring

in Technique[技术] by (71.8m points)

I have an apache server where authentication is required, but there are some calls that need to be allowed for all.

On off these calls is based on a query string for example:

/foo/api.php?Token=123&Task=DoStuff&Result=json

I taught that with a LocationMatch that this would have workd so i worked out this configuration:

<LocationMatch ^/foo/api.php?.*(Task=DoStuff).*>
    Order Allow,Deny
    Allow from All
</LocationMatch>

But this doesn't let me pass the authentication (meaning i get a 401). If I just filter ^/foo/api.php I get passed the authentication, but this isn't strict enough.

Anyone has any idea how to configure this to check the Task parameter in the querystring?

For authentication we are using kerberos, this is forced on the whole site This is our conf for kerb

LoadModule auth_kerb_module modules/mod_auth_kerb.so

<Directory /var/www/html>
  Options FollowSymLinks
  AllowOverride All
  AuthType Kerberos
  Require valid-user
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd on
  KrbAuthRealms FOO.LOCAL
  KrbServiceName HTTP/server.foo.local@foo.LOCAL
  Krb5KeyTab /etc/httpd/conf/http.keytab
  Satisfy Any
  Order deny,allow
  Deny from all
  Allow from 192.168.72.90
  Allow from 192.168.72.91
  Allow from 192.168.72.94
  Allow from 192.168.72.95
  Allow from 127.0.0.1
</Directory>
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
438 views
Welcome To Ask or Share your Answers For Others

1 Answer

by (71.8m points)

As you can read here:

The <Location>, <LocationMatch>, <Directory> and <DirectoryMatch> Apache directives allow us to apply authentication/authorization to specific patterns of resources with a high degree of specificity, but do not give us that control down to the query-string level.

Therefore, you have to use mod_rewrite to achieve you goal.
For example:

RewriteEngine on
RewriteCond %{QUERY_STRING} Task=DoStuff
RewriteRule ^/foo/api.php - [E=no_auth_required:1]

<LocationMatch ^/foo/api.php>
      Order allow,deny
      Allow from env=no_auth_required
      AuthType Basic
      AuthName "Login Required"
      AuthUserFile /var/www/foo/.htpasswd
      require valid-user
      Satisfy Any
</LocationMatch>

UPDATE

You've stated that:

If I just filter ^/foo/api.php I get passed the authentication, but this isn't strict enough.

Then, try adding the following rows to your configuration:

RewriteEngine on
RewriteCond %{QUERY_STRING} Task=DoStuff
RewriteRule ^/foo/api.php - [E=no_auth_required:1]

<LocationMatch ^/foo/api.php>
      Order allow,deny
      Allow from env=no_auth_required
</LocationMatch>

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share

Just Browsing Browsing

548k questions

547k answers

4 comments

86.3k users

Most popular tags

Theme made by Momin Raza, Modified by Ostack
Powered by Question2Answer
...