Artem Kuchin wrote:
André Warnier пишет:Well, basically software must open and close access to files, but access itself must granted or denied by apache.Artem Kuchin wrote:Hello!Where is the situation. I have a bunch of files (thousands) in a directorystructure which is accessible via direct url. For example: directory: htdata/index.html htdata/files htdata/files/1/file1.dat htdata/files/1/file2.dat htdata/files/2/file3.dat htdata/files/3/file4.dat The poing is to make ONLY CERTAIN files avaible to users which are logged in and qualified for access for the files. For example: user john does logged in using apache auth scheme and he is qualified (SOMEHOW. HOW to tell it to apache?) for access to file2 and files4. After that this user can download them. Access to all other files gives "forbidden". Any idea?Hi.In function of what criteria is a user qualified or not to access which file ? or in function of what criteria is a file said to be accessible by which users ?For example: 1) apache authorized the user (basic login)2) user does something that makes software set a cookie OR write a special file where it is specified what user has access to file 3) user is provied with the link and can download the file(s), apache control access using cookie (no secure at all) or the file withpermissions (nice and secure)
I am not the ultimate expert, and you may want to wait for someone else to comment on this, but what you explain above makes me think that basically, the conditions under which a user gets access or not to a given file are what I would call "complex and non-standard".
I do not think that you will find a way to do exactly what you want using just built-in Apache possibilities, and maybe not even standard Apache add-on modules.
Using my own knowledge (Apache, perl and mod_perl), I would think that what you need here is a custom-made mod_perl-based "PerlAuthzhandler" add-on module, which will handle the "authorization" phase of the access to these URL's according to the precise rules you would specify, and either allow the user to access the file, or return a forbidden response (or something nicer). Such a handler could easily and securely handle authorization based on either a cookie or some file, independently of the file permissions themselves at the OS level.
I would offer to write it for you in my professional capacity, if you do not get any better suggestions on this list.
André --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx