Apache permissions based on querystring

apache configuration kerberos
Frederiek picture Frederiek · Feb 1, 2013 · Viewed 11.1k times · Source

I have an apache server where authentication is required, but there are some calls that need to be allowed for all.

On off these calls is based on a query string for example:

/foo/api.php?Token=123&Task=DoStuff&Result=json

I taught that with a LocationMatch that this would have workd so i worked out this configuration:

<LocationMatch ^/foo/api.php\?.*(Task=DoStuff).*>
    Order Allow,Deny
    Allow from All
</LocationMatch>

But this doesn't let me pass the authentication (meaning i get a 401). If I just filter ^/foo/api.php I get passed the authentication, but this isn't strict enough.

Anyone has any idea how to configure this to check the Task parameter in the querystring?

For authentication we are using kerberos, this is forced on the whole site This is our conf for kerb

LoadModule auth_kerb_module modules/mod_auth_kerb.so

<Directory /var/www/html>
  Options FollowSymLinks
  AllowOverride All
  AuthType Kerberos
  Require valid-user
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd on
  KrbAuthRealms FOO.LOCAL
  KrbServiceName HTTP/[email protected]
  Krb5KeyTab /etc/httpd/conf/http.keytab
  Satisfy Any
  Order deny,allow
  Deny from all
  Allow from 192.168.72.90
  Allow from 192.168.72.91
  Allow from 192.168.72.94
  Allow from 192.168.72.95
  Allow from 127.0.0.1
</Directory>

Answer

user1419445 picture user1419445 · Feb 4, 2013

As you can read here:

The <Location>, <LocationMatch>, <Directory> and <DirectoryMatch> Apache directives allow us to apply authentication/authorization to specific patterns of resources with a high degree of specificity, but do not give us that control down to the query-string level.

Therefore, you have to use mod_rewrite to achieve you goal.
For example:

RewriteEngine on
RewriteCond %{QUERY_STRING} Task=DoStuff
RewriteRule ^/foo/api.php - [E=no_auth_required:1]

<LocationMatch ^/foo/api.php>
      Order allow,deny
      Allow from env=no_auth_required
      AuthType Basic
      AuthName "Login Required"
      AuthUserFile /var/www/foo/.htpasswd
      require valid-user
      Satisfy Any
</LocationMatch>

UPDATE

You've stated that:

If I just filter ^/foo/api.php I get passed the authentication, but this isn't strict enough.

Then, try adding the following rows to your configuration:

RewriteEngine on
RewriteCond %{QUERY_STRING} Task=DoStuff
RewriteRule ^/foo/api.php - [E=no_auth_required:1]

<LocationMatch ^/foo/api.php>
      Order allow,deny
      Allow from env=no_auth_required
</LocationMatch>

Related questions

Error message "Forbidden You don't have permission to access / on this server"

I have configured my Apache by myself and have tried to load phpMyAdmin on a virtual host, but I received: 403 Forbidden You don't have permission to access / on this server My httpd.conf # # This is the main Apache HTTP server …

Read More
ssl_error_rx_record_too_long and Apache SSL

I've got a customer trying to access one of my sites, and they keep getting this error > ssl_error_rx_record_too_long They're getting this error on all browsers, all platforms. I can't reproduce the problem at all. …

Read More
Apache won't follow symlinks (403 Forbidden)

I'm having some trouble setting up Apache on Ubuntu. I've been following this guide. # /usr/sbin/apache2 -v Server version: Apache/2.2.17 (Ubuntu) Server built: Feb 22 2011 18:33:02 My public directory, /var/www, can successfully serve up and execute PHP pages that are …

Read More