Order of require directives

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Order of require directives

Postby ales85 » 15. May 2017 20:19

I need some help with Apache configuration when using multiple require directives (condition: any). What I would like to achieve is SSO when using Apache with Xampp on Windows (any version) through SSPI module. However I need a fallback mechanism that would allow ANY user to also visit the page but I would then provide alternate means of authentication.

At the moment I have SSO through SSPI functioning with the proper configuration and "require valid-user" directive. When I try to permit any other user that is not capable of authenticating through SSO to also access the page the problem is that Apache always seems to use the less complicated method of authentication (or none). So when I use configuration such as the following:
<RequireAny>
require valid-user
require all granted
</RequireAny>
In the case above all users will just automatically be granted access without any authentication. The same goes if I replace "require all granted" with:
require expr ${HTTP_COOKIE} -strmatch "*ALLOWED*"
having previously set a proper cookie in a custom 401 page.

To summarize, I'd like to always authenticate users first through SSO and if this doesn't work, then all users should be granted access. The reason for this is that I need REMOTE_USER key in $_SERVER variable if such authentication can be performed (user exists in AD).
ales85
 
Posts: 4
Joined: 15. May 2017 20:08
XAMPP version: 3.2.2
Operating System: Windows 10 64bit

Re: Order of require directives

Postby Nobbie » 15. May 2017 20:45

The Apache configuration is not a procedural language and does not know an order. Only some modules (like mod_rewrite) knows conditions and orders, but generally there is no order in Apache configurations. Depending on the context one or all options have to fit.
Nobbie
 
Posts: 9615
Joined: 09. March 2008 13:04

Re: Order of require directives

Postby Altrea » 15. May 2017 20:50

Since Apache 2.4 you can use powerful expressions, like
Code: Select all
<If "-z %{REMOTE_USER}">
which is valid for empty REMOTE_USER.

That is the only way i would see a chance to build a fallback the way you want.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8879
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: Order of require directives

Postby Nobbie » 16. May 2017 10:34

All in all i think its easier to build a PHP based login script (like very many tools have), that gives you the full power of PHP instead of the clumsy Apache configuration.
Nobbie
 
Posts: 9615
Joined: 09. March 2008 13:04

Re: Order of require directives

Postby ales85 » 16. May 2017 11:57

@Altrea I've tried your solution but it doesn't help. No matter what kind of combination I attempt it always seems to use the simplest require directive that will permit access. Meaning that if a client is capable of both, it'll only use the simplest one that doesn't provide me with the required information (REMOTE_USER).

@Nobbie what do you recommend for that? Everything that I've found relies on the web server and client to negotiate authentication first, before I can use that in PHP.
ales85
 
Posts: 4
Joined: 15. May 2017 20:08
XAMPP version: 3.2.2
Operating System: Windows 10 64bit

Re: Order of require directives

Postby Nobbie » 16. May 2017 16:13

ales85 wrote:@Nobbie what do you recommend for that?


As i said, a PHP script (you have to do that on yourself, maybe you can find some examples in the WWW). As you can see for example, this forum also comes with a login and this is not established by Apache Configuration, but by PHP script. With the help of PHP you can do any sophisticated login script. Of course you have to know PHP (what i assumed).
Nobbie
 
Posts: 9615
Joined: 09. March 2008 13:04

Re: Order of require directives

Postby ales85 » 16. May 2017 16:29

Nobbie wrote:
ales85 wrote:@Nobbie what do you recommend for that?


As i said, a PHP script (you have to do that on yourself, maybe you can find some examples in the WWW). As you can see for example, this forum also comes with a login and this is not established by Apache Configuration, but by PHP script. With the help of PHP you can do any sophisticated login script. Of course you have to know PHP (what i assumed).

Well, I do know PHP, so you assumed correct. But what I don't know is how to do a seamless login through PHP without Apache intervention that sets up REMOTE_USER variable.

In other words, I don't know of any way that enables PHP to do what Apache can do. I did look for exactly such solutions but came up empty. Do you have a suggestion?
ales85
 
Posts: 4
Joined: 15. May 2017 20:08
XAMPP version: 3.2.2
Operating System: Windows 10 64bit

Re: Order of require directives

Postby Nobbie » 16. May 2017 19:00

ales85 wrote:But what I don't know is how to do a seamless login through PHP without Apache intervention that sets up REMOTE_USER variable.


REMOTE_USER is only a name, Apache has only limited possibilities. You may use any Cookie or Session Variable when using PHP. This is by far easier to handle and to evaluate.

ales85 wrote:Do you have a suggestion?


Tutorials, books, any kind of documentation. I am a bit of surprised, if you are a skilled PHP programmer, this should not be a real problem?! All login scripts (even Apache) stores and retrieves user information into Cookies (and/or session variables) and usually its not a big job to create a login. If unsure, you may also download well known PHP scripts with logins (like this forum, like WordPress, like Joomla etc. pp.) and look, how the login is realised.

Or simply enter "php login script download" into Google and you will get tons of PHP snippets and scripts with login functionality.
Nobbie
 
Posts: 9615
Joined: 09. March 2008 13:04

Re: Order of require directives

Postby ales85 » 16. May 2017 20:04

@Nobbie I think that you keep forgetting the SSO part of the authentication :)
ales85
 
Posts: 4
Joined: 15. May 2017 20:08
XAMPP version: 3.2.2
Operating System: Windows 10 64bit

Re: Order of require directives

Postby Nobbie » 16. May 2017 20:22

ales85 wrote:@Nobbie I think that you keep forgetting the SSO part of the authentication :)


No, i didnt. Of course there is NOTHING, what one can do with Apache, what i cannot do with PHP (or any other language).
Nobbie
 
Posts: 9615
Joined: 09. March 2008 13:04


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 38 guests