On Wed, 21 Mar 2007, Serge Dubrouski wrote:
> On 3/20/07, Seth Chaiklin <seth@xxxxxx> wrote:
> > On Tue, 20 Mar 2007, Serge Dubrouski wrote:
> >
> > > I'm affraid you are mixing up 2 different things: control of user
> > > access to the site and control type of access to your site.
> > > SSLRequireSSL can't control what users can get access to the
> > > particular directory but it can control that access to that directory
> > > will be provided through SSL enabled connection only.
> >
> > That is clear for SSLRequireSSL, but I am referring SSLRequire
> Sorry my mistake :-)
No problem.
> Per mod_ssl documentation SSLRequire has
> directory context, that means that you should be able to control user
> access per directory level and provide access to /Dir to user1 only
> and to /Subdir to user2 only. You have just to build the corrrect
> rules, based on clients certificates, for example.
Right. This was my original query. It is easy enough
to specify different criteria for different directories
(including subdirectories).
The problem arises however because the properties for the
directory are passed down to the subdirectory! In this case,
the SSLRequire for the directory is given to the subdirectory,
which makes it impossible to give different requirements to
the directory and subdirectory.
For example:
<Directory /directory>
SSLRequire %{SSL_CLIENT_S_DN_C} eq "DE"
</Directory>
<Directory /directory/subdir>
SSLRequire %{SSL_CLIENT_S_DN_C} eq "DK"
</Directory>
If a person with DK certificate tries to access /directory/subdir
then access will be rejected (according to the error message in
the logfile) because it does not have DE certificate.
I was hoping that someone here could (a) confirm that this is the
way it is supposed to work, and (b) confirm that there is no way
to override this directory cascade.
>From reading the documentation, it does not appear possible, in
which case I will make an "enhancement" request.
Thanks,
Seth Chaiklin
> > > On 3/20/07, Seth Chaiklin <seth@xxxxxx> wrote:
> > > > Apache 2.2.4 with mod_ssl
> > > >
> > > > Can someone please confirm that the following is impossible
> > > > using only certificates and SSLRequire.
> > > >
> > > > /Directory: only user 1 has access
> > > > /Subdirectory to Directory: only user 2 has access
> > > >
> > > > The problem is that, one can either:
> > > >
> > > > b. give access to /Directory to user 1 with a SSLRequire
> > > > expression that only user 1 can satisfy, but then user 2 cannot
> > > > get access to /subdirectory, because the SSLRequire expression
> > > > for /Directory gets passed down.
> > > >
> > > > or
> > > >
> > > > b. give access to /Directory for both users 1 and 2 with a
> > > > SSLRequire expression, while a more restrictive expression can
> > > > prevents access to /subdirectory for user 1.
> > > >
> > > > Neither of these alternatives is desirable. The idea is for each
> > > > user to have access to only the directory or the subdirectory,
> > > > but not both.
> > > >
> > > > The manual mentions that SSLRequire "is a very powerful directive
> > > > because the requirement specification is an arbitrarily complex
> > > > boolean expression containing any number of access checks," but I
> > > > don't think it can handle this kind of differential, individual
> > > > per-directory access -- but maybe my understanding of boolean
> > > > logic is too limited.
> > > >
> > > > Thanks for any insight.
> > > >
> > > > Sincerely,
> > > > Seth Chaiklin
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|