logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Order of execution for require directives

 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
ales85



Joined: 15 May 2017
Posts: 1

PostPosted: Mon 15 May '17 21:32    Post subject: Order of execution for require directives Reply with quote

I need some help with Apache configuration when using multiple require directives (condition: any). What I would like to achieve is SSO when using Apache with Xampp on Windows (any version) through SSPI module. However I need a fallback mechanism that would allow ANY user to also visit the page but I would then provide alternate means of authentication.

At the moment I have SSO through SSPI functioning with the proper configuration and "require valid-user" directive. When I try to permit any other user that is not capable of authenticating through SSO to also access the page the problem is that Apache always seems to use the less complicated method of authentication (or none). So when I use configuration such as the following:
<RequireAny>
require valid-user
require all granted
</RequireAny>
In the case above all users will just automatically be granted access without any authentication. The same goes if I replace "require all granted" with:
require expr ${HTTP_COOKIE} -strmatch "*ALLOWED*"
having previously set a proper cookie in a custom 401 page.

To summarize, I'd like to always authenticate users first through SSO and if this doesn't work, then all users should be granted access. The reason for this is that I need REMOTE_USER key in $_SERVER variable if such authentication can be performed (user exists in AD).
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6202
Location: Germany, Next to Hamburg

PostPosted: Wed 17 May '17 22:48    Post subject: Reply with quote

Without having tested it it might make sense to use th <If> statement. [1]


Code:

<If>
</If>
<ElseIf "%{HTTP_COOKIE}% -strmatch '*ALLOWED*'">
    Require all denied
</ElseIf>
<Else>
    Require all denied
</Else>



Just an idea without testing.

Also see the almost last comment about the AliasProvider [2] and [3] Authorization Containers


Maybe one of this suggestions helps


[1] https://httpd.apache.org/docs/2.4/howto/access.html#env
[2] https://httpd.apache.org/docs/2.4/de/mod/mod_authz_core.html
[3] http://httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#logic
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules
Page 1 of 1