Re: Authentication based on QUERY STRING

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Jan 26, 2011, at 1:38 PM, J.Lance Wilkinson wrote:

> Rich Bowen wrote:
>> On Jan 26, 2011, at 10:52 AM, J.Lance Wilkinson wrote:
>>> I have a developer who's using Apache 1.3.9 (supplied as Oracle HTTP server within Oracle Application Express) and needs to SUPPRESS his default authentication (mod_cosign from weblogin.org) when the user's QUERY_STRING contains the string ":25:".  Otherwise he wants to continue to enforce his
>>> authentication.
>>> 
>>> Thoughts?
>> My first thought is "Holy cow, 1.3.9 was released in August 1999. Why the heck are you using *that* dinosaur."
>> Closely followed by, no, that's probably not possible, and especially not in something that ancient.
> 
> 	I'm certainly inclined to agree with you, but apparently Oracle
> 	disagrees.  There are apparently a multitude of custom Oracle
> 	modules which clearly, if they had Apache 2.x or Apache 2.2.x versions
> 	for, would be distributed and available thus making later versions
> 	of Apache feasible.

If those modules worked on 1.3.9, they would also work on 1.3.42, which, while hardly cutting edge, was at least released this century.

Meanwhile, suppressing authentication based on a query string argument is not easy simply because it's a remarkably bad idea, as it undermines the very notion of authentication. However, if you must do this, then you'll probably need to implement your own authentication mechanism. HTTP auth happens too early in the process for what you're trying to do.

The only solution that comes to mind is to have a front-end server that looks at the query string (say, mod_rewrite) and rewrites the request to an un-auth copy of the content when the query string has the right magic string in it.

Again, this seems like a really bad idea.

--
Rich Bowen
rbowen@xxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux