BLOGS
- Minnesota Search Sprint
- Search "Happens"
- Mock function testing in Drupal
- Drupal + AJAX, Part 1
- Looking for a new office in Sacramento
- HTTP Auth: Demand Satisfaction
- New website coming soon!
- Remembering Jeanette Symons
- Going paper(less): Web 2.0 Organization For Successful Personal Management
- Four Lines That Should Be In Your Postfix Configuration
RECENT COMMENTS
- Chris Charlton (not verified)
- pcambra
- Lovecannon (not verified)
- ak47 (not verified)
- slimbionic (not verified)
- Douglas Hubler (not verified)
HTTP Auth: Demand Satisfaction
by gary on Fri, 02/29/2008 - 17:16I just had an interesting question posed to me. Say you have a site that needs the usual generic http auth stuff. But say you have a few directories that you don't want to require credentials for. And pretend you can't use .htaccess.
<Directory "/path/to/docroot">
AllowOverride All
AuthUserFile /path/to/.htpasswd
AuthType Basic
AuthName "Iz Sekritz, Shhh"
Require valid-user
</Directory>
<Directory "/path/to/unprotected/subdirectory">
Satisfy Any
</Directory>(Note: Check with your software/site/rest of your configuration before using 'AllowOverride All' - you likely don't need 'All' there - but for brevity's sake...)
The magic here happens with Satisfy Any, a useful little directive that smacks Apache around with a glove, then shoots it in the foot the next day at dawn. (Both people and web servers are more polite in a dueling society, I find.)
What Satisfy Any does is tell Apache that the browser has satisfied authentication requirements for the location it's trying to access. In this example, Satisfy Any is telling Apache that since the browser has satisfied the host access restriction (notice - there isn't one, so any browser attempting to view the subdirectory passes that by default), that's good enough - send the requested page.
You could also use Satisfy All if you want to see things not work. Satisfy All works in a logical manner, demanding that *all* access restrictions be met before serving a page. If we applied that here, things wouldn't work since while the browser would pass the non-existent host restriction, they'd still need to enter a user/pass.
Note, this has been tested under Apache 2. Might not work if you're all old school and using 1.3, as 1.3's docs specifically state:
This directive is only useful if access to a particular area is being restricted by both username/password and client host address.
Since I'm too busy at the moment to set up Apache 1.3 to find out whether that means, "It's not going to work!" or "I'm going to cry if you keep using my innocent, pure directives in such a perverted manner!" I leave the discovery of such up to the reader.
gary's blog
Comments
Post new comment