On January 26, 2011 13:48 , Rich Bowen <rbowen@xxxxxxxxxxx> wrote:
On Jan 26, 2011, at 10:52 AM, J.Lance Wilkinson wrote:I have a developer who's using Apache 1.3.9 (supplied as Oracle HTTP server within Oracle Application Express) and needs to SUPPRESS his default authentication (mod_cosign from weblogin.org) when the user's QUERY_STRING contains the string ":25:". Otherwise he wants to continue to enforce his authentication.Meanwhile, suppressing authentication based on a query string argument is not easy simply because it's a remarkably bad idea, as it undermines the very notion of authentication. However, if you must do this, then you'll probably need to implement your own authentication mechanism. HTTP auth happens too early in the process for what you're trying to do. The only solution that comes to mind is to have a front-end server that looks at the query string (say, mod_rewrite) and rewrites the request to an un-auth copy of the content when the query string has the right magic string in it.
If you're ignoring the "remarkably bad idea" part of Rich's response, above, here are some more ways to get in trouble:
- mod_cosign allows you to make authentication optional via the CosignAllowPublicAccess directive. If you are serving dynamic content (a CGI, etc.), you (or your developer) can then have your dynamic content (a CGI, etc.) force authentication if the user is not authenticated and the query string does not contain ":25:", but allow both authenticated and unauthenticated access otherwise. For specifics on how to implement this, ask on the cosign-discuss mailing list ( https://lists.sourceforge.net/lists/listinfo/cosign-discuss ). Unfortunately, this solution will not work for static content.
- You (or your developer) can modify mod_cosign to get what you need; this is horrible and ugly, but probably easier than implementing your own authentication mechanism. You'll probably want to add your additional check (return DECLINED if the query string contains ":25:") in the cosign source code near filters/apache/mod_cosign.c line 428. Lines 209-222 of the same file provide an example of code that checks the query string that could be rewritten for your needs. See http://cosign.git.sourceforge.net/git/gitweb.cgi?p=cosign/cosign;a=blob;f=filters/apache/mod_cosign.c;h=3a279745e70acef52211678e2a6a3acb89392a04;hb=HEAD
Again, this seems like a really bad idea.
The above bears repeating (if it's not obvious why its a bad idea, let us know so we can explain).
WHY does your developer think he needs to bypass authentication based on what's in the query string? Knowing the details of the situation may allow us to suggest an alternative solution. Remind your developer of http://www.catb.org/~esr/faqs/smart-questions.html#goal
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|