I am trying to setup a RESTful web service where GET is open to all but POST, PUT, and DELETE are restricted to authorized users. I have a database of users that is checked using Basic Auth. So far, so good. I *also* want to make it possible to issue certificates (from a home-rolled CA) to users if they wish, so they can bypass the username/password dialogues. Try as I might, I simply cannot get an either/or setup working where certs are checked and basic auth is skipped if a valid cert is found. No matter what, the Basic Auth dialog always appears. It also appears that the <Limit> directive does not work with RequireSSL directives? Is there a way to limit only certain methods using SSL? I've tried +FakeBasicAuth but then the database lookup code rejects the username (of course). Here's what my config looks like right now. I would really appreciate any pointers or suggestions. Thanks so much for your time.
--BEGIN CONFIG--
<Directory "/home/html/games/rest">
SSLOptions +StdEnvVars
AllowOverride all
Order deny,allow
Allow from all
Satisfy any
SSLRequireSSL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
SSLRequire ( \
%{SSL_CLIENT_S_DN_O} eq "Super Duper Games" \
and %{SSL_CLIENT_S_DN_OU} eq "REST Server" \
)
AuthType Basic
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELECT encrypt(password) FROM users WHERE
username=%s"
AuthName "Super Duper Games"
<limit PUT POST DELETE>
Require valid-user
</limit>
</Directory>
--END CONFIG--
--
Aaron Dalton | Super Duper Games
[EMAIL PROTECTED] | http://superdupergames.org
smime.p7s
Description: S/MIME Cryptographic Signature
