I want to protect a path in my VirtualHost but allow users a variety of authentication options (e.g. mod-auth-cas, mod-auth-openid and mod-auth-digest.) How do I set up the virtual host definition to allow multiple auth-types for the same location?
Asked
Active
Viewed 1.7k times
7
James A. Rosen
- 503
- 3
- 9
- 19
-
What version of Apache httpd? – outis Sep 26 '09 at 07:00
-
Let's say Apache 2.2 – James A. Rosen Sep 26 '09 at 14:50
4 Answers
6
The problem with multiple authentication types is they tend to have irreconcilable protocols. You can try the technique shown in the Shibboleth documentation, where you put everything in a subdirectory, create a symlink to that directory for each authentication type you want to support, then configure each symlink location for a different authentication type.
<Location /basic>
AuthType Basic
AuthUserFile /path/to/.htpasswd
require valid-user
</Location>
<Location /cas>
AuthType CAS
require valid-user
</Location>
<Location /openid>
AuthOpenIDEnabled On
require valid-user
</Location>
outis
- 1,088
- 8
- 14
4
i had the almost same situation, solved like the following:
at server config level, in the apache2.conf (assuming Debian based distros)
<AuthnProviderAlias method1 auth1_name >
# config options
# ...
</AuthnProviderAlias>
<AuthnProviderAlias method2 auth2_name >
# config options
# ...
</AuthnProviderAlias>
in the Virtual Host specific conf file:
<VirtualHost *>
# config options
# ...
<Location /your_location>
# config options
AuthBasicProvider auth1_name auth2_name
# other needed config options
# ...
</Location>
</VirtualHost>
in this way you can use different authorization/authentication methods with different names in the same Location directive for differnt VirtualHosts
more details of my solution in a short blog post: link text
HTH, ciao :) Gianluca
Gianluca Riccardi
- 41
- 2
-
This is a really great technique. However, it doesn't solve the poster's question of using different AuthTypes – Kamil Kisiel Oct 01 '09 at 22:34
-
Thank you Kamil :) i didn't read the later OP comments, in the first post is mentioned 'location', from Apache docs i read that the AuthType context is 'directory'. So, sorry for the OffTopic. – Gianluca Riccardi Oct 02 '09 at 08:04
2
Have you tried "Satisfy Any" ?
jwa
- 176
- 2
-
1Can I have multiple AuthTypes in the same Location block? as in "AuthType CAS; AuthType Basic; AuthType OpenID; Satisfy Any"? – James A. Rosen Sep 27 '09 at 01:11
-
1
0
Another solution is to differentiate authentication based on the content of the HTTP header with clause:
<If "%{HTTP:Authorization} =~ /^Basic/">
AuthType Basic
AuthUserFile /path/to/.htpasswd
Require valid-user
</If>
<Elseif "%{HTTP:Authorization} =~ /^Bearer/">
AuthOpenIDEnabled On
Require valid-user
</Elseif>
<Else>
AuthType CAS
Require valid-user
</Else>
Nicolas Forney
- 101
- 1