Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

allowing pass-through for read-only via proxy

Russ Allbery eagle at windlord.stanford.edu
Mon Oct 15 11:26:08 PDT 2007


"John DeStefano" <john.destefano at gmail.com> writes:

> Is there a FilesMatch or some other Apache or WebAuth directive that
> we can use within the Location in our ssl.conf (below), which
> basically says:
> - If the URL includes "/twiki/bin/view", then allow the user to pass
> through without authenticating.
> - If the URL includes "/twiki/bin/*" ("edit", "save", "publish", or
> any other ending besides "/view"), then WebAuth must enforce
> authentication.

WebAuth in this respect works exactly like any other Apache authentication
handler, which is both helpful and not.  It's not that helpful in that
Apache doesn't provide an easy way, that I know of, of overriding an
access restriction applied at a higher level.

What I would probably do for this is abuse satisfy to get the behavior I
wanted.  Try:

<LocationMatch "^/twiki/bin/.*">
    AuthType WebAuth
    allow from all
    require valid-user
    satisfy all
</LocationMatch>

<Location "/twiki/bin/view">
    satisfy any
</Location>

satisfy all means that both the WebAuth restriction and the host access
restriction must be met, which in practice requires WebAuth.  In the view
stanza, you change that to satisfy any, which means that only one or the
other of the restrictions must be met, and since the host-based
restriction allows anything, that lets in everyone.

-- 
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Unix Systems and Applications, Stanford University



More information about the webauth-info mailing list