[users@httpd] Apache Directory Level access control

Tue, 21 Jan 2014 09:40:41 -0800 

CentOS-6.5-i86_64
httpd-2.2.15 (CentOS)

I have a problem with configuring directory access using groups. We have a
site with multiple sub-directories. We have several groups defined. We have
the entire site protected at the root by digest authentication and some of the
sub-directories protected by:

<Directory /protect/directory/path>
    Require group xxxxx
</Directory>

All directives are contained in the virtual web site configuration file.  We
are not using .htaccess files.

However, if one can authenticate at the root then one gets access to all the
sub-directories regardless of the authenticated user's group membership.  How
does one configure this so that authentication at the root is still restricted
by group membership in the sub-directories?

I tried putting a 'Require all denied' directive in the site root along with
Require group directives everywhere else but that blocks all access for all
users even in the protected directories.  No-one can get access.

The information I can find through web searching does not reveal to me what my
error is.  The configuration file looks like this:

  <Directory />
    AuthType Digest
    AuthName ca.harte-lyne
    AuthDigestDomain /
    AuthDigestProvider file
    AuthUserFile /etc/httpd/access.d/.htdigest
    AuthGroupFile /var/data/hll_dav/htgroup

#    Require all denied
#    Require group staff

#    AllowOverride AuthConfig FileInfo Indexes Limit Nonfatal=[] Options
#    AllowOverride None
    Order allow,deny
    allow from all
    Satisfy All

    Options Indexes MultiViews
    IndexOptions FancyIndexing
    AddDefaultCharset UTF-8

    Dav On
    # No Sever Minimum Timeout on locks - let WebDaV clients decide
    DAVMinTimeout 0
    DAVDepthInfinity Off
    LimitXMLRequestBody 96000000
  </Directory>

  <Directory /HLL_Operations>
    Require group management staff
  </Directory>


I have tried replicating the authentication directives in each sub-directory
but the result is the same.

  <Directory /HLL_Administration/Protect>
    AuthType Digest
    AuthName ca.harte-lyne
    AuthDigestDomain /HLL_Administration/Protect
    AuthDigestProvider file
    AuthUserFile /etc/httpd/access.d/.htdigest
    AuthGroupFile /var/data/hll_dav/htgroup
    Require group protected
  </Directory>

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to