RE: Making mod_auth_digest mysql
Lol. I'm using the proper syntax on the server. Just checked.
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Thursday, February 12, 2009 2:49 PM
To: modules-dev@httpd.apache.org
Subject: Re: Making mod_auth_digest mysql
On Thu, Feb 12, 2009 at 2:25 PM, Michele Waldman mmwald...@nyc.rr.com
wrote:
RewriteCond ${REMOTE_USER} . does not seem to work when the REMOTE_USER is
not defined. The statement evaluates to true.
What happens when you use the proper syntax, %{REMOTE_USER}?
--
Eric Covener
cove...@gmail.com
Re: Making mod_auth_digest mysql
On Thu, Feb 12, 2009 at 3:27 PM, Michele Waldman mmwald...@nyc.rr.com wrote:
RewriteCond ${REMOTE_USER} . does not seem to work when the REMOTE_USER is
not defined. The statement evaluates to true.
What happens when you use the proper syntax, %{REMOTE_USER}?
Lol. I'm using the proper syntax on the server. Just checked.
Works for me: http://apache.pastebin.ca/1335270
.htaccess:
RewriteEngine on
RewriteCond %{REMOTE_USER} .
RewriteRule .* - [G]
127.0.0.1 - - [12/Feb/2009:15:40:42 --0500]
[localhost/sid#954fc98][rid#9578328/initial] (4) RewriteCond: input=''
pattern='.' = not-matched
--
Eric Covener
cove...@gmail.com
RE: Making mod_auth_digest mysql
Basically, when I user is logged out, %{REMOTE_USER} is not defined. It
seems any rewritecode using an undefined server environment variable always
evaluates to true. I don't want this. I want false if not defined. I'm
going to hack apache, if I have to.
Michele
-Original Message-
From: Michele Waldman [mailto:mmwald...@nyc.rr.com]
Sent: Thursday, February 12, 2009 3:28 PM
To: modules-dev@httpd.apache.org
Subject: RE: Making mod_auth_digest mysql
Lol. I'm using the proper syntax on the server. Just checked.
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Thursday, February 12, 2009 2:49 PM
To: modules-dev@httpd.apache.org
Subject: Re: Making mod_auth_digest mysql
On Thu, Feb 12, 2009 at 2:25 PM, Michele Waldman mmwald...@nyc.rr.com
wrote:
RewriteCond ${REMOTE_USER} . does not seem to work when the REMOTE_USER is
not defined. The statement evaluates to true.
What happens when you use the proper syntax, %{REMOTE_USER}?
--
Eric Covener
cove...@gmail.com
Re: Making mod_auth_digest mysql
On Thu, Feb 12, 2009 at 3:44 PM, Michele Waldman mmwald...@nyc.rr.com wrote:
Basically, when I user is logged out, %{REMOTE_USER} is not defined. It
seems any rewritecode using an undefined server environment variable always
evaluates to true. I don't want this. I want false if not defined. I'm
going to hack apache, if I have to.
That's not the behavior of variables in rewriteconds.
Try a simpler testcase.
--
Eric Covener
cove...@gmail.com
Re: Making mod_auth_digest mysql
On Thu, Feb 12, 2009 at 3:49 PM, Michele Waldman mmwald...@nyc.rr.com wrote:
I'm doing this:
RewriteEngine On
RewriteCond %{REMOTE_USER} .
RewriteRule ^.*$ - [S=1]
RewriteRule ^.*$ http://domain/logged_out.html?%{N} [R]
AuthType Digest
AuthName account
AuthUserFile /path/.htpasswd
Require valid-user
1) The user is logged in.
2) The user logs out.
3) In ff, the user hits the backpage button.
4) The user gets a dialog box to login rather than being redirected.
HTTP is stateless. You wrote a rule that wants to see if
authentication has already occured, so on some level you're
acknowledging that authentication is processed _before_ your rewrite.
When you configure authentication for a resource, the very same code
that would authenticate you will immediately prompt you for
credentials if they're not provided. This happens before your
per-directory rewrites have a chance to do anything.
RewriteLog would likely tell you that the conditions/rules are not
evaluated in this scenario, because the 401 is returned before the
fixup hook where rewrite runs in per-dir context
--
Eric Covener
cove...@gmail.com
Re: Making mod_auth_digest mysql
Michele Waldman wrote:
I'm doing this:
RewriteEngine On
RewriteCond %{REMOTE_USER} .
RewriteRule ^.*$ - [S=1]
RewriteRule ^.*$ http://domain/logged_out.html?%{N} [R]
AuthType Digest
AuthName account
AuthUserFile /path/.htpasswd
Require valid-user
1) The user is logged in.
2) The user logs out.
3) In ff, the user hits the backpage button.
4) The user gets a dialog box to login rather than being redirected.
Michele
Are you trying to get the user to be redirected if they are not logged
in? It shouldn't require hacking apache or rewriting a module. Try
turning off the authentication requirement for the /logged_out.html
page. Then, on a 401, send them to the login page. Probably similar to :
https://admin.sharktooth.org/account/
In this case, everything except the help files, and the utilities for
assisting with logging in have been protected, while these resources
have not. Is that what you are after?
--
Joe Lewis
Chief Nerd SILVERHAWK http://www.silverhawk.net/ (801) 660-1900
/You know there is a problem with the education system when you realize
that out of the 3 R's only one begins with an R.
--Dennis Miller/
RE: Making mod_auth_digest mysql
There is not authentication requirement for logged_out it's in a higher
directory.
-Original Message-
From: Joe Lewis [mailto:j...@joe-lewis.com]
Sent: Thursday, February 12, 2009 4:46 PM
To: modules-dev@httpd.apache.org
Subject: Re: Making mod_auth_digest mysql
Michele Waldman wrote:
I'm doing this:
RewriteEngine On
RewriteCond %{REMOTE_USER} .
RewriteRule ^.*$ - [S=1]
RewriteRule ^.*$ http://domain/logged_out.html?%{N} [R]
AuthType Digest
AuthName account
AuthUserFile /path/.htpasswd
Require valid-user
1) The user is logged in.
2) The user logs out.
3) In ff, the user hits the backpage button.
4) The user gets a dialog box to login rather than being redirected.
Michele
Are you trying to get the user to be redirected if they are not logged
in? It shouldn't require hacking apache or rewriting a module. Try
turning off the authentication requirement for the /logged_out.html
page. Then, on a 401, send them to the login page. Probably similar to :
https://admin.sharktooth.org/account/
In this case, everything except the help files, and the utilities for
assisting with logging in have been protected, while these resources
have not. Is that what you are after?
--
Joe Lewis
Chief Nerd SILVERHAWK http://www.silverhawk.net/ (801)
660-1900
/You know there is a problem with the education system when you realize
that out of the 3 R's only one begins with an R.
--Dennis Miller/
Re: Making mod_auth_digest mysql
Michele Waldman wrote: There is not authentication requirement for logged_out it's in a higher directory. Okay, then. I'm afraid I am not understanding everything here. I doubt the wheel needs to be reimplemented, but it seems the push is in that direction. For my feeble mind, can you give a brief overview of what you are trying to accomplish? As I see it, you were creating a mod_auth_digest_mysql . This now feels completely different than just an authentication. -- Joe Lewis Chief Nerd SILVERHAWK http://www.silverhawk.net/ (801) 660-1900 /They're multi purpose. Not only do they put the clips on, but they take them off. --Pratt Whitney spokesperson explaining why the company charged the Air Force nearly $1,000 for an ordinary pair of pliers./
RE: Making mod_auth_digest mysql
It is different that just authenticating. Due to an htaccess authentication implementation, it requires a work around to prevent those pesky popups the browsers produce. I'm trying to do a spin on this: http://www.berenddeboer.net/rest/authentication.html Implementing the mod_auth_digest authenticating against mysql was all part of this. Michele -Original Message- From: Joe Lewis [mailto:j...@joe-lewis.com] Sent: Thursday, February 12, 2009 6:39 PM To: modules-dev@httpd.apache.org Subject: Re: Making mod_auth_digest mysql Michele Waldman wrote: There is not authentication requirement for logged_out it's in a higher directory. Okay, then. I'm afraid I am not understanding everything here. I doubt the wheel needs to be reimplemented, but it seems the push is in that direction. For my feeble mind, can you give a brief overview of what you are trying to accomplish? As I see it, you were creating a mod_auth_digest_mysql . This now feels completely different than just an authentication. -- Joe Lewis Chief Nerd SILVERHAWK http://www.silverhawk.net/ (801) 660-1900 /They're multi purpose. Not only do they put the clips on, but they take them off. --Pratt Whitney spokesperson explaining why the company charged the Air Force nearly $1,000 for an ordinary pair of pliers./
Re: Making mod_auth_digest mysql
Michele Waldman wrote:
All the actual authentication if fine. I wouldn't rely on cookies for
security. It sounds like cookies would be a fake security.
I was thinking about creating a logout cookie.
Then, the popup would only happen if the user hacked their cookies.
Shame on them.
But it seems like such a hack to me. I dread it.
I'm not seeing in your example how that 401 error would be generated. What
would the htaccess look like?
[HTACCESS]
#AllowOverride AuthConfig
Order allow,deny
Allow from all
AuthName Protected System
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl ldap://localhost/dc=localhost?mail?sub
AuthLDAPBindDN cn=directoryuser,dc=localhost
AuthLDAPBindPassword directoryuserpassword
AuthLDAPGroupAttribute memberuid
AuthCookieName VisitorID
require valid-user
ErrorDocument 401 /account/help/unauthorized.html
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [L,R]
[/HTACCESS]
To document the file - the first stuff is actually for LDAP
authentication, and mod_auth_cookie. The utility that sets the cookie
never sets the cookie, on which the browser is supposed to remove it
when closed. A log out is simply a cookie overwrite.
However, if you wish to demonstrate your apache module programming
prowess, you can always create a mod_auth_cookie module that sets a
SESSION variable, and then pulls the credentials from the session data
rather than from a cookie - it can be as secure as anything out on the
Internet today, depending on how you configure it to go. It can be as
complex or as simple as you wish to make it. (I prefer simple - it's
easier to troubleshoot if you have problems.)
Convoluted?
--
Joe Lewis
Chief Nerd SILVERHAWK http://www.silverhawk.net/ (801) 660-1900
/They give you a round bat and they throw a round ball. And tell you to
hit it square.
-- Willie Stargell/
RE: Making mod_auth_digest mysql
I don't drink that frequently, but when I do I get chatty, even on the
computer.
-Original Message-
From: Ray Morris [mailto:supp...@bettercgi.com]
Sent: Sunday, February 08, 2009 8:00 PM
To: modules-dev@httpd.apache.org
Subject: Re: Making mod_auth_digest mysql
Sorry, about the extraneous personal notes.
The I love you was an exaggeration of thank you.
I kid around. I don't know that people
understand that.
No problem - I get a lot of that. :)
I should never go near a computer when I'm
drinking. I also type stuff I regret.
It used to be I shouldn't go around ANYTHING
when I was drinking, which was pretty often!
Then thirteen years ago I found a way that I
don't need to drink like that any more, thankfully.
--
Ray B. Morris
supp...@bettercgi.com
Strongbox - The next generation in site security:
http://www.bettercgi.com/strongbox/
Throttlebox - Intelligent Bandwidth Control
http://www.bettercgi.com/throttlebox/
Strongbox / Throttlebox affiliate program:
http://www.bettercgi.com/affiliates/user/register.php
On 02/08/2009 09:05:54 AM, Michele Waldman wrote:
Sorry, about the extraneous personal notes. The I love you was an
exaggeration of thank you. I kid around. I don't know that people
understand that.
I had already started drinking in celebration of finishing my
project.
I should never go near a computer when I'm drinking. I also type
stuff I
regret.
Thank you again.
But, I have to know how does
RewriteCond ${REMOTE_USER} .
Is the . for any character? Why does it evaluate correctly when
undefined
and != doesn't?
Michele
-Original Message-
From: Ray Morris [mailto:supp...@bettercgi.com]
Sent: Friday, February 06, 2009 3:05 PM
To: modules-dev@httpd.apache.org
Subject: Re: Making mod_auth_digest mysql
I'm thinking about adding a -e flag for environment
variable does not exist to httpd on my server.
It would return true if the variable exists
or false, otherwise. Is there a way to already
do this?
For your purpose, you can use:
RewriteCond %{REMOTE_USER} !.
or as appropriate:
RewriteCond %{REMOTE_USER} .
That will check for any non-empty value
by matching at least any single character.
It looks like: RewriteCond ${REMOTE_USER} != always
evaluates to true if REMOTE_USER does not exist.
Am I wrong?
That's correct, if it doesn't exist, it's not
the empty string. What's in that bucket on your
desk? There is no bucket is a different answer
than the bucket is empty. Since you apparently
understand SQL, let me explain that by saying it's
the same thing as the difference between trying
to get the value of a column which doesn't exist,
which is an outright error, versus a column with
the value 0, versus a text column with empty
text (), versus an unknown value, represented
by NULL. Not existing isn't the same thing as
existing and being empty.
--
Ray B. Morris
supp...@bettercgi.com
Strongbox - The next generation in site security:
http://www.bettercgi.com/strongbox/
Throttlebox - Intelligent Bandwidth Control
http://www.bettercgi.com/throttlebox/
Strongbox / Throttlebox affiliate program:
http://www.bettercgi.com/affiliates/user/register.php
On 02/05/2009 10:43:57 PM, Michele Waldman wrote:
RewriteCond has flags -f -d ...
But not -e for exists.
It looks like:
RewriteCond ${REMOTE_USER} != always evaluates to true if
REMOTE_USER does
not exist. Am I wrong?
I'm thinking about adding a -e flag for environment variable does
not
exist
to httpd on my server. It would return true if the variable exists
or
false, otherwise.
Is there a way to already do this?
Thoughts?
Michele
RE: Making mod_auth_digest mysql
I mean to check server environment variables which is what REMOTE_USER is.
I just want to know if the variable is defined on the server then I could do
this:
RewriteEngine On
RewriteCond %{REMOTE_USER} -e
RewriteRule ^(.*)$ - [S=1]
RewriteRule ^.*$ http://domain/login.html [R]
Right now when REMOTE_USER is not defined this line gets executed:
RewriteRule ^(.*)$ - [S=1]
I want that line to be skipped if REMOTE_USER has not been defined as a
server environment variable.
You can see the values in phpinfo(); It is only defined if the user is
logged in.
Why would a nonexistent variable evaluate to true?
Michele
-Original Message-
From: Dave Ingram [mailto:d...@dmi.me.uk]
Sent: Friday, February 06, 2009 5:55 AM
To: modules-dev@httpd.apache.org
Subject: Re: Making mod_auth_digest mysql
The -f and -d flags for RewriteCond are for checking the file system,
not environment variables, although they can use environment variables
if necessary. For example:
RewriteCond %{DOCUMENT_ROOT}/%{ENV:foo} -d
would check that the folder named by the environment variable foo
exists in the document root.
Dave
Michele Waldman wrote:
RewriteCond has flags -f -d ...
But not -e for exists.
It looks like:
RewriteCond ${REMOTE_USER} != always evaluates to true if REMOTE_USER
does
not exist. Am I wrong?
I'm thinking about adding a -e flag for environment variable does not
exist
to httpd on my server. It would return true if the variable exists or
false, otherwise.
Is there a way to already do this?
Thoughts?
Michele
Re: Making mod_auth_digest mysql
On Fri, Feb 6, 2009 at 8:49 AM, Michele Waldman mmwald...@nyc.rr.com wrote:
I mean to check server environment variables which is what REMOTE_USER is.
This might be better off on us...@httpd.apache.org
I just want to know if the variable is defined on the server then I could do
this:
RewriteEngine On
RewriteCond %{REMOTE_USER} -e
I couldn't find any reference to -e, to check if it's empty you can
do != or !^$
RewriteRule ^(.*)$ - [S=1]
RewriteRule ^.*$ http://domain/login.html [R]
Right now when REMOTE_USER is not defined this line gets executed:
RewriteRule ^(.*)$ - [S=1]
I want that line to be skipped if REMOTE_USER has not been defined as a
server environment variable.
In per-vhost context, that will never be set unless you use the
lookahead feature.
You can see the values in phpinfo(); It is only defined if the user is
logged in.
That processing is later, so REMOTE_USER may be set by then.
Why would a nonexistent variable evaluate to true?
Unless i'm confused re: -e, It seems like your -e would be
interpreted as a regex, but that shouldn't match an empty string
AFAICT.
--
Eric Covener
cove...@gmail.com
Re: Making mod_auth_digest mysql
The -f and -d flags for RewriteCond are for checking the file system,
not environment variables, although they can use environment variables
if necessary. For example:
RewriteCond %{DOCUMENT_ROOT}/%{ENV:foo} -d
would check that the folder named by the environment variable foo
exists in the document root.
Dave
Michele Waldman wrote:
RewriteCond has flags -f -d ...
But not -e for exists.
It looks like:
RewriteCond ${REMOTE_USER} != always evaluates to true if REMOTE_USER does
not exist. Am I wrong?
I'm thinking about adding a -e flag for environment variable does not exist
to httpd on my server. It would return true if the variable exists or
false, otherwise.
Is there a way to already do this?
Thoughts?
Michele
Re: Making mod_auth_digest mysql
2009/2/1 Michele Waldman mmwald...@nyc.rr.com: The userlist (http://httpd.apache.org/userslist.html) might be a better place, but... I want to do the following in htaccess for account security: FilesMatch .*[^(wp_login.php|logout.php)] That would not do what it should do. [^...] is a negated character class to exclude certain characters but not a specific string. You'll need a negative lookahead FilesMatch ^(?!wp_login\.php|logout\.php) Basic authentication doesn't remember the authtype, but Digest does. AuthType? AuthName, I guess. I'm connecting over a secure certificate. I believe a user could possible telnet and send an authorization header? I'd expect that you/your module would require SSL/TLS, but if a client sends an authorization request header which contains 'Account', you'd authenticate. Not very secure?! I want to know the risk of them getting or guessing the right AuthType under these circumstances. If you're requesting wp_login.php AuthName should be served. Of course, someone needs to know that; you could perform a probability calculation, of course. Expect the unexpected. The point of this is to avoid the ugly popus that require authentication causes. How do you convince the client to send an authorization request header? Via such a popup for wp_login.php. Once authenticated the popup shouldn't appear for that session and realm but I guess your point is that no one should see that they can authenticate except they are using the back door link wp_login.php? Does anyone have any suggestions on a better approach? May be. If my last assumption is your point modify/write an auth module which replies with a - 401 - for certain URLs (e.g. /wp_login.php) if no authorization header was present or - for all URLs if an authorization header was present but the credentials didn't match; or with a - 403 if the condition for a 401 didn't match. The bottom line would be that the client is either authenticated or receives a 403 forbidden instead of a 401. Bob
