On January 26, 2011 13:48 , Rich Bowen <rbo...@rcbowen.com> wrote:
On Jan 26, 2011, at 10:52 AM, J.Lance Wilkinson wrote:
I have a developer who's using Apache 1.3.9 (supplied as Oracle HTTP server within Oracle
Application Express) and needs to SUPPRESS his default authentication (mod_cosign from
weblogin.org) when the user's QUERY_STRING contains the string ":25:".
Otherwise he wants to continue to enforce his
authentication.
Meanwhile, suppressing authentication based on a query string argument is not
easy simply because it's a remarkably bad idea, as it undermines the very
notion of authentication. However, if you must do this, then you'll probably
need to implement your own authentication mechanism. HTTP auth happens too
early in the process for what you're trying to do.
The only solution that comes to mind is to have a front-end server that looks
at the query string (say, mod_rewrite) and rewrites the request to an un-auth
copy of the content when the query string has the right magic string in it.
If you're ignoring the "remarkably bad idea" part of Rich's response,
above, here are some more ways to get in trouble:
- mod_cosign allows you to make authentication optional via the
CosignAllowPublicAccess directive. If you are serving dynamic content
(a CGI, etc.), you (or your developer) can then have your dynamic
content (a CGI, etc.) force authentication if the user is not
authenticated and the query string does not contain ":25:", but allow
both authenticated and unauthenticated access otherwise. For specifics
on how to implement this, ask on the cosign-discuss mailing list (
https://lists.sourceforge.net/lists/listinfo/cosign-discuss ).
Unfortunately, this solution will not work for static content.
- You (or your developer) can modify mod_cosign to get what you need;
this is horrible and ugly, but probably easier than implementing your
own authentication mechanism. You'll probably want to add your
additional check (return DECLINED if the query string contains ":25:")
in the cosign source code near filters/apache/mod_cosign.c line 428.
Lines 209-222 of the same file provide an example of code that checks
the query string that could be rewritten for your needs. See
http://cosign.git.sourceforge.net/git/gitweb.cgi?p=cosign/cosign;a=blob;f=filters/apache/mod_cosign.c;h=3a279745e70acef52211678e2a6a3acb89392a04;hb=HEAD
Again, this seems like a really bad idea.
The above bears repeating (if it's not obvious why its a bad idea, let
us know so we can explain).
WHY does your developer think he needs to bypass authentication based on
what's in the query string? Knowing the details of the situation may
allow us to suggest an alternative solution. Remind your developer of
http://www.catb.org/~esr/faqs/smart-questions.html#goal
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
