DekGenius.com
[ Team LiB ] Previous Section Next Section

Recipe 6.10 Lifting Restrictions Selectively

Problem

You want most documents to be restricted, such as requiring a username and password, but want a few to be available to the public. For example, you may want index.html to be publicly accessible, while the rest of the files in the directory require password authentication.

Solution

Use the Satisfy Any directive in the appropriate place in your .htaccess or httpd.conf file:

<Files index.html>
    Order Deny,Allow
    Allow from all
    Satisfy Any
</Files>

Discussion

Regardless of what sorts of restrictions you may have on other files, or on the directory as a whole, the <Files> container in the solution makes the index.html file accessible to everyone without limitation. Satisfy Any tells Apache that any of the restrictions in place may be satisfied, rather than having to enforce any particular one. In this case, the restriction in force will be Allow from all, which permits access for all clients.

Weak and Strong Authentication

The basic Apache security model for HTTP is based upon the concepts of weak and strong authentication mechanisms. Weak mechanisms are those that rely on information volunteered by the user; strong ones use credentials obtained without asking him. For instance, a username and password constitute a set of weak credentials, while the IP address of the user's client system is regarded as a strong one.

One difference between the two types lies in how Apache handles an authentication failure. If invalid weak credentials are presented, the server will respond with a 401 Unauthorized status, which allows the user to try again. In contrast, a failure to authenticate when strong credentials are required will result in a 403 Forbidden status—for which there is no opportunity to retry.

In addition, strong and weak credentials can be required in combination; this is controlled by the Satisfy directive. The five possible requirements are:

  • None. No authentication required.

  • Only strong credentials are needed.

  • Only weak credentials are required.

  • Both strong and weak credentials are accepted; if either is valid, access is permitted.

  • Both strong and weak credentials are required.


See Also

    [ Team LiB ] Previous Section Next Section