Artem Kuchin wrote:
André Warnier пишет:
Artem Kuchin wrote:
Hello!
Where is the situation. I have a bunch of files (thousands) in a
directory
structure which is accessible via direct url.
For example:
directory:
htdata/index.html
htdata/files
htdata/files/1/file1.dat
htdata/files/1/file2.dat
htdata/files/2/file3.dat
htdata/files/3/file4.dat
The poing is to make ONLY CERTAIN files avaible to users which
are logged in and qualified for access for the files.
For example: user john does logged in using apache auth scheme
and he is qualified (SOMEHOW. HOW to tell it to apache?)
for access to file2 and files4. After that this user can download them.
Access to all other files gives "forbidden".
Any idea?
Hi.
In function of what criteria is a user qualified or not to access
which file ? or in function of what criteria is a file said to be
accessible by which users ?
Well, basically software must open and close access to files, but access
itself must granted or denied by apache.
For example:
1) apache authorized the user (basic login)
2) user does something that makes software set a cookie OR write a
special file where it is specified what user has access to file
3) user is provied with the link and can download the file(s), apache
control access using cookie (no secure at all) or the file with
permissions (nice and secure)
I am not the ultimate expert, and you may want to wait for someone else
to comment on this, but what you explain above makes me think that
basically, the conditions under which a user gets access or not to a
given file are what I would call "complex and non-standard".
I do not think that you will find a way to do exactly what you want
using just built-in Apache possibilities, and maybe not even standard
Apache add-on modules.
Using my own knowledge (Apache, perl and mod_perl), I would think that
what you need here is a custom-made mod_perl-based "PerlAuthzhandler"
add-on module, which will handle the "authorization" phase of the access
to these URL's according to the precise rules you would specify, and
either allow the user to access the file, or return a forbidden response
(or something nicer). Such a handler could easily and securely handle
authorization based on either a cookie or some file, independently of
the file permissions themselves at the OS level.
I would offer to write it for you in my professional capacity, if you do
not get any better suggestions on this list.
André
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
