Recipe 6.10 Lifting Restrictions Selectively
Problem
You want most documents to be
restricted, such as
requiring a username and password, but want a few to be available to
the public. For example, you may want index.html
to be publicly accessible, while the rest of the files in the
directory require password authentication.
Solution
Use the Satisfy Any directive in
the appropriate place in your
.htaccess or httpd.conf
file:
<Files index.html>
Order Deny,Allow
Allow from all
Satisfy Any
</Files>
Discussion
Regardless of what sorts of restrictions you may have on other files,
or on the directory as a whole, the <Files>
container in the solution makes the index.html
file accessible to everyone without limitation.
Satisfy Any tells Apache that
any of the restrictions in place may be satisfied, rather than having
to enforce any particular one. In this case, the restriction in force
will be Allow from
all, which permits access for all clients.
|
The basic Apache security model for HTTP is based upon the concepts
of weak and strong
authentication mechanisms. Weak
mechanisms are those that rely on
information volunteered by the user; strong ones use credentials
obtained without asking him. For instance, a username and password
constitute a set of weak credentials, while the IP address of the
user's client system is regarded as a strong one.
One difference between the two types lies in how Apache handles an
authentication failure. If invalid weak credentials are presented,
the server will respond with a 401 Unauthorized status, which allows
the user to try again. In contrast, a failure to authenticate when
strong credentials are required will result in a 403 Forbidden
status—for which there is no opportunity to retry.
In addition, strong and weak credentials can be required in
combination; this is controlled by the Satisfy
directive. The five possible requirements are:
None. No authentication required. Only strong credentials are needed. Only weak credentials are required. Both strong and weak credentials are accepted; if either is valid,
access is permitted. Both strong and weak credentials are required.
|
See Also
|
