Misc Notes about Security/401/etc

Security in htaccess: htpasswd, 401 Authentication
Post a reply

Misc Notes about Security/401/etc

Postby produke » 21 Oct 2006 04:51

Authorization
Authorization is the process of verifying if a user, once identified by the authentication mechanism, is permitted to access the requested resource. The access is usually determined by verifying if the user is coming from a certain location or has a specific client environment characteristic.

Order
The order directive is a bit tricky to new Apache users, as it controls two seemingly unrelated issues:

Controls the order in which the Allow and Deny directives are processed.

Sets a default policy for connections that do not match either of the Allow or Deny rules.

There are only two options available to the order directive, discussed next.

Order deny, allow
This order creates the following rule set; the deny rules are processed before the allow rules. If the client does not match the deny rule or they do match the allow rule, then they will be granted access.

Order allow, deny
This is the opposite configuration in that the allow rules are processed before the deny rules. If the client does not match the allow rule or they do match the deny rule, then they will be denied access.

Let's show a few examples with the most basic of allow and deny rule qualifiers, the "All" parameter. Take a look at the following two example configurations:

Example 1Client would be denied.

<Directory "/usr/local/apache/htdocs">
Order allow,deny
Deny from all
Allow from all
</Directory>

Example 2Client would be allowed.

<Directory "/usr/local/apache/htdocs">
Order deny,allow
Deny from all
Allow from all
</Directory>

As these examples illustrate, unintended access may be allowed or denied if the incorrect directive arguments order is applied. It is therefore extremely important to fully test all configurations to validate that the proper access control is attained.

IP Address and IP Range
Controlling access based on the client IP address or IP range is identical in syntax to using hostnames or domain names. The advantages to using IP addresses are that there is no overhead that is normally associated with hostname lookups, and it alleviates the possibility of a DNS-based attack. Here is an example that accomplishes the same goal as the one shown previously by allowing http://www.apache.org and the .apache.org domain.

<Directory "/usr/local/apache/htdocs">
Order allow,deny
Deny from all
Allow from 209.237.227.195
Allow from 209.237.
</Directory>
User avatar
produke
 
Posts: 242
Joined: 25 Sep 2006 04:48
Top
Post a reply

Return to Security and Authentication



Who is online

Users browsing this forum: No registered users