On 03/06/2008 05:26:08 PM, Nebergall, Christopher wrote:
So while there may be 5 different ways a user may type the hostname and port portions of the URI for the same content, I would want it to evaluate to just 1 definitive answer that I can create policy for (or at least as few as possible).
Sounds like r->server->server_hostname and r->server->port to me, or use UseCanonicalName On to access it externally through an environment variable. Of course there are people on the list who know Apache a thousand times as well as I do. I figured I'd try to help with this one, though, to get karma credit for when I have a question for the real experts. :) -- Ray B. Morris [EMAIL PROTECTED] Strongbox - The next generation in site security: http://www.bettercgi.com/strongbox/ On 03/06/2008 05:26:08 PM, Nebergall, Christopher wrote:
Sorry let me clarify. I'm looking at doing external policy evaluation of the URI like is done is most SSO products. I have to create a policy for every URL the user may hit (with support for wildcards). I would like to minimize the number of policies created. So while there may be 5 different ways a user may type the hostname and port portions of the URI for the same content, I would want it to evaluate to just 1 definitive answer that I can create policy for (or at least as few as possible). Plus I need to beware of malicious users. If they set an invalid host header, I don't want a case where apache ignores the host header and host header port because it doesn't know about the server mentioned in the host header, but the policy code still uses it to do policy evaluation. That creates a case where the code would be granting or denying access based on the wrong policy. Example ServerName foo.com ServerAlias bob.smith.bar.com *.jones.com Assume these requests: GET http://bob.smith.bar.com/cgi-bin/printenv GET http://mark.jones.com/cgi-bin/printenv I want all of these evaluated to only http://foo.com/cgi-bin/printenv Which API's would do this for the server name and host portions?
