httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] Access control to files for logged in users only using apache
Date Wed, 04 Jun 2008 14:33:06 GMT


Artem Kuchin wrote:
> 
> 
> André Warnier пишет:
>> Artem Kuchin wrote:
>>> Hello!
>>>
>>> Where is the situation. I have a bunch of files (thousands) in a 
>>> directory
>>> structure which is accessible via direct url.
>>>
>>> For example:
>>>
>>> directory:
>>>
>>> htdata/index.html
>>> htdata/files
>>> htdata/files/1/file1.dat
>>> htdata/files/1/file2.dat
>>> htdata/files/2/file3.dat
>>> htdata/files/3/file4.dat
>>>
>>> The poing is to make ONLY CERTAIN files avaible to users which
>>> are logged in and qualified for access for the files.
>>>
>>> For example: user john does logged in using apache auth scheme
>>> and he is qualified (SOMEHOW. HOW to tell it to apache?)
>>> for access to file2 and files4. After that this user can download them.
>>> Access to all other files gives "forbidden".
>>>
>>> Any idea?
>>>
>> Hi.
>>
>> In function of what criteria is a user qualified or not to access 
>> which file ?  or in function of what criteria is a file said to be 
>> accessible by which users ?
>>
>>
> Well, basically software must open and close access to files, but access 
> itself must granted or denied by apache.
> For example:
> 1) apache authorized the user (basic login)
> 2) user does something that makes software set a cookie OR write a 
> special file where it is specified what user has access to file
> 3) user is provied with the link and can download the file(s), apache 
> control access using cookie (no secure at all) or the file with
> permissions (nice and secure)
> 

I am not the ultimate expert, and you may want to wait for someone else 
to comment on this, but what you explain above makes me think that 
basically, the conditions under which a user gets access or not to a 
given file are what I would call "complex and non-standard".

I do not think that you will find a way to do exactly what you want 
using just built-in Apache possibilities, and maybe not even standard 
Apache add-on modules.

Using my own knowledge (Apache, perl and mod_perl), I would think that 
what you need here is a custom-made mod_perl-based "PerlAuthzhandler" 
add-on module, which will handle the "authorization" phase of the access 
to these URL's according to the precise rules you would specify, and 
either allow the user to access the file, or return a forbidden response 
(or something nicer).  Such a handler could easily and securely handle 
authorization based on either a cookie or some file, independently of 
the file permissions themselves at the OS level.

I would offer to write it for you in my professional capacity, if you do 
not get any better suggestions on this list.

André

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message