SSL + Basic Auth
am 25.07.2007 17:15:30 von Aaron DaltonThis is a cryptographically signed message in MIME format.
--------------ms090909030905070202000605
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am trying to setup a RESTful web service where GET is open to all but
POST, PUT, and DELETE are restricted to authorized users. I have a
database of users that is checked using Basic Auth. So far, so good. I
*also* want to make it possible to issue certificates (from a
home-rolled CA) to users if they wish, so they can bypass the
username/password dialogues. Try as I might, I simply cannot get an
either/or setup working where certs are checked and basic auth is
skipped if a valid cert is found. No matter what, the Basic Auth dialog
always appears. It also appears that the
work with RequireSSL directives? Is there a way to limit only certain
methods using SSL? I've tried +FakeBasicAuth but then the database
lookup code rejects the username (of course). Here's what my config
looks like right now. I would really appreciate any pointers or
suggestions. Thanks so much for your time.
- --BEGIN CONFIG--
SSLOptions +StdEnvVars
AllowOverride all
Order deny,allow
Allow from all
Satisfy any
SSLRequireSSL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
SSLRequire ( \
%{SSL_CLIENT_S_DN_O} eq "Super Duper Games" \
and %{SSL_CLIENT_S_DN_OU} eq "REST Server" \
)
AuthType Basic
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELECT encrypt(password) FROM users WHERE username=%s"
AuthName "Super Duper Games"
Require valid-user
- --END CONFIG--
- --
Aaron Dalton | Super Duper Games
aaron@daltons.ca | http://superdupergames.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: My Key: http://biglumber.com/x/web?qs=8811d2a4
Comment: My Website: http://superdupergames.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkanaRIACgkQvlYKTYgR0qRbNQCgmgRcKYDpb9YxlDXp8drI 397S
HckAoLgiYckfCBAAudqG2FmehACpXq4Q
=LthK
-----END PGP SIGNATURE-----
--------------ms090909030905070202000605
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIISOjCC
BggwggPwoAMCAQICAQEwDQYJKoZIhvcNAQEEBQAweTEQMA4GA1UEChMHUm9v dCBDQTEeMBwG
A1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0 IFNpZ25pbmcg
QXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcw HhcNMDUxMDE0
MDczNjU1WhcNMzMwMzI4MDczNjU1WjBUMRQwEgYDVQQKEwtDQWNlcnQgSW5j LjEeMBwGA1UE
CxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xh c3MgMyBSb290
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq0k1EUh80iZ+U5TP Q6ndKNdCKovz
h3gZWHwPntqJfeH763KQDXShlmSrn6AkmXPa4lV2xxd79QSsRrjDvn9kjRBs JPNhnMDykPpR
5vVpAWPDD1biSkLP4kSMJSioxXkJfUa5ivPp8zQpCEXkHJ/LlAQcgagUs5hl xEPsToKNCdG9
qluNktDs3pDFfwrC4+vmMVpedD6XM1nowwM9YDO/99FvR8TN7mKDUm4uCJqk 2RUYkaaFkkew
rkjrbbch7IUaaHI1q//wEF3A9JSnatU7kn5MkAV+k8Esi6SOYnQVcW4LcQPq rxU4mtTSBXJv
jPkr61pyJfk5RuNyGz4Ew2QnIhAqik9YpwOtvrQuE+1dqkjX1X3UKntc+kYE UOTMDkJbjO3b
8s/8lpPg2xE2VGI0OI8MYJs7l1Y4rfPSW4ugW+pOlrh819WghnBA05Ept6I8 rfWMu88akork
NHvA2Gxf6QrCw6cgmlrfLF1SXLpH1ZvvJChwOCAv1X8pwLJBA2iSzOCczJdL Re86EAqrcDqY
lXCtNbHqhSukHIAhMamuYHqAJkgAuAHAk2NVIpE8Vuev2zol848xVOomi4FZ +aHRUxHFe50D
9nQR4G2xLD8shpGZcZqmd4s0YNEUtCysna+MENOfxGr4bxP8c1n3ZkJ0Horj +NzSb5icy0eY
lUAF++kCAwEAAaOBvzCBvDAPBgNVHRMBAf8EBTADAQH/MF0GCCsGAQUFBwEB BFEwTzAjBggr
BgEFBQcwAYYXaHR0cDovL29jc3AuQ0FjZXJ0Lm9yZy8wKAYIKwYBBQUHMAKG HGh0dHA6Ly93
d3cuQ0FjZXJ0Lm9yZy9jYS5jcnQwSgYDVR0gBEMwQTA/BggrBgEEAYGQSjAz MDEGCCsGAQUF
BwIBFiVodHRwOi8vd3d3LkNBY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMA0G CSqGSIb3DQEB
BAUAA4ICAQB/CIih2hpQSdqJ+6EIcvOK9x7EOrR5WyAwsUXewl3TZWnxwl1U VDyFX7l7QpHC
mf0bUZurRqWhEFOebYisc24sM6bw9J7gdcE+iEWp4WZD/lZa0XpBePdA2ko6 8QtbpbsWBubC
55O5hU2XT7EeOEOA75sNjO+4p2AAh1d9HkQcyyPvmzyZna+1KRxFeRaWTSdt 8Rxsw8JVZLO8
FOLzpB8eMvwnFQXP3S6uPoJhe/AhEBj2ROpTOfnc0Jog4Ma74LtaT8SZyAe9 tb2i2y5iDUI0
Qbz/i4r1USKqiDAA4rDUvL5lutUDV3mb6NzITfhQ7ZGlUiiirPs2WD7plCuR UIcb1l7WjMz3
DxAMUk7QFmHl5QpsvxfHckZXnJj1bGBjem9euU4vyLm5u2qFvJgN7fk+l4Q0 lK4Ar6Hl55Ju
Tr3z4tkUi1zS6wFsoBelLRDrnHpKvb3uzv3tIkCrcDiI9QqHasKrBWDJSAXa U8HeRHdqs/M8
PO2AvKY4SikkX/5ZO5slelZjAGS5XaRifVc2T62D7x+SU6COd1fd5WERPSMA kEw8+qNgkwSj
rzX2DmqPT0pgp4UFbEahj/THduOhWVf3cbLEbhRcbW1BZt8bk7HUAMPuy888 PSGAqV9jZfzd
4F+k9CvwhXFB1Gcl+xqxl67WmYITQdJupRuZJ4DnC6moADCCBhMwggP7oAMC AQICAi6dMA0G
CSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQL ExVodHRwOi8v
d3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3Qw HhcNMDcwNzAy
MjEyODMzWhcNMDkwNzAxMjEyODMzWjCBzTEaMBgGA1UEAxMRQWFyb24gQ2Fy eSBEYWx0b24x
HzAdBgkqhkiG9w0BCQEWEGFhcm9uQGRhbHRvbnMuY2ExHTAbBgkqhkiG9w0B CQEWDmFhcm9u
QGZpbmNoLnN0MSgwJgYJKoZIhvcNAQkBFhlhYXJvbkBzdXBlcmR1cGVyZ2Ft ZXMub3JnMSAw
HgYJKoZIhvcNAQkBFhFhYXJvbkBmcmVlYnNkLm9yZzEjMCEGCSqGSIb3DQEJ ARYUYWNkYWx0
b25AdWNhbGdhcnkuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDQJs1d+gGC
+adl2Cy5cI2rJsTz2EIA9ScG4kTkgMqZfhwomnQP7klgw2NuoOeflr7SMYlV 0odyq1bvPjU8
0kmdc3mrDFv/lmFshadr+se3SuON5K/GVy+iLFslM8o7a7uKJmInjMNjYyoi STdLznIop2Rv
QIoC6tOBg+h4ULN1H1UklPfvfi8AiSxz6bpTdCFMNch9ggvsXAXt0fzEb2NI NV3J1+lCeIpI
I0ry/8jv9ztZUehvyaq1m7HXtr2BtYNa1AxD+nL94/XgndzgGqs3h/43FmFU NYDvFaBi6VHN
klx0aPLqeu/vNazJFCGPcqYFKUUD21XaC3ynyfoTSanbAgMBAAGjggFzMIIB bzAMBgNVHRMB
Af8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlm aWNhdGUgZm9y
IEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzBiBgNV HSUEWzBZBggr
BgEFBQcDBAYIKwYBBQUHAwIGCCsGAQUFBwMDBgorBgEEAYI3AgEVBgorBgEE AYI3AgEWBgor
BgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEE JjAkMCIGCCsG
AQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMG8GA1UdEQRoMGaBEGFh cm9uQGRhbHRv
bnMuY2GBDmFhcm9uQGZpbmNoLnN0gRlhYXJvbkBzdXBlcmR1cGVyZ2FtZXMu b3JngRFhYXJv
bkBmcmVlYnNkLm9yZ4EUYWNkYWx0b25AdWNhbGdhcnkuY2EwDQYJKoZIhvcN AQEFBQADggIB
AABvuxnNMYpbx0t1gLs0vgCewm7MGk0b3CCj/7FcAJFNY8YHNHFcyfrph3dl d29S0U1CvHGm
5J8UzsdHycleszUv8jReVRC+jK3qfa0SJCvu8DLt8YN6nrkQv9yK0FCvb8ua CNovbkESvy3Y
XEAfNBefNkZNd4CN9Qhl4UqzVFSrVSHsVmLXaWhfaDGnAJ44YVYky1OvY6NP CsacPiqkvY9C
0r6sYVcdujmj0Khonwg734MNlGxjLICu6gxduub7Y+qC1QH2fzeCnyYDo9H0 uN9M7NhYm2mr
1lIwIahrDvtMfCOeTV2ugocCWDHqCXOfExolS80olkVeqwuY9KwQxe7jHiva pmUcSfw2R6qW
MQhE6FLzmOqqxDM3EdRbfRcMs9PgzPUx02lVo/ZNdmvF1a7FcArY8ulQ27Zy 2laIyu6lfvVJ
yyH/1EeYNnKhtR0lzfdkaNyF+6SGUzDaGdcYgkH0CNQcJMfIXUcTmaodt07h qO2kppHP3284
zKnACN9k/btC+xgrzQAzzj70oKB25okQ2T8cX9evJDFhgG34G0UJY9/HJURY 4Ckl60O7GTsN
VllozZV9E04dKjg9N0OqC0OOvgY4mCmcQpmi0QPnjutZzfxtE0C3dti8xC/f q8qFoxkZmXfn
d+9Y5c0Ql4mOzyU+Vogh8xWfMgaE17K8mk8hMIIGEzCCA/ugAwIBAgICLp0w DQYJKoZIhvcN
AQEFBQAwVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6 Ly93d3cuQ0Fj
ZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDAeFw0wNzA3 MDIyMTI4MzNa
Fw0wOTA3MDEyMTI4MzNaMIHNMRowGAYDVQQDExFBYXJvbiBDYXJ5IERhbHRv bjEfMB0GCSqG
SIb3DQEJARYQYWFyb25AZGFsdG9ucy5jYTEdMBsGCSqGSIb3DQEJARYOYWFy b25AZmluY2gu
c3QxKDAmBgkqhkiG9w0BCQEWGWFhcm9uQHN1cGVyZHVwZXJnYW1lcy5vcmcx IDAeBgkqhkiG
9w0BCQEWEWFhcm9uQGZyZWVic2Qub3JnMSMwIQYJKoZIhvcNAQkBFhRhY2Rh bHRvbkB1Y2Fs
Z2FyeS5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANAmzV36 AYL5p2XYLLlw
jasmxPPYQgD1JwbiROSAypl+HCiadA/uSWDDY26g55+WvtIxiVXSh3KrVu8+ NTzSSZ1zeasM
W/+WYWyFp2v6x7dK443kr8ZXL6IsWyUzyjtru4omYieMw2NjKiJJN0vOciin ZG9AigLq04GD
6HhQs3UfVSSU9+9+LwCJLHPpulN0IUw1yH2CC+xcBe3R/MRvY0g1XcnX6UJ4 ikgjSvL/yO/3
O1lR6G/JqrWbsde2vYG1g1rUDEP6cv3j9eCd3OAaqzeH/jcWYVQ1gO8VoGLp Uc2SXHRo8up6
7+81rMkUIY9ypgUpRQPbVdoLfKfJ+hNJqdsCAwEAAaOCAXMwggFvMAwGA1Ud EwEB/wQCMAAw
VgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBm b3IgRlJFRSBo
ZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMGIGA1UdJQRbMFkG CCsGAQUFBwME
BggrBgEFBQcDAgYIKwYBBQUHAwMGCisGAQQBgjcCARUGCisGAQQBgjcCARYG CisGAQQBgjcK
AwQGCisGAQQBgjcKAwMGCWCGSAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYI KwYBBQUHMAGG
Fmh0dHA6Ly9vY3NwLmNhY2VydC5vcmcwbwYDVR0RBGgwZoEQYWFyb25AZGFs dG9ucy5jYYEO
YWFyb25AZmluY2guc3SBGWFhcm9uQHN1cGVyZHVwZXJnYW1lcy5vcmeBEWFh cm9uQGZyZWVi
c2Qub3JngRRhY2RhbHRvbkB1Y2FsZ2FyeS5jYTANBgkqhkiG9w0BAQUFAAOC AgEAAG+7Gc0x
ilvHS3WAuzS+AJ7CbswaTRvcIKP/sVwAkU1jxgc0cVzJ+umHd2V3b1LRTUK8 cabknxTOx0fJ
yV6zNS/yNF5VEL6Mrep9rRIkK+7wMu3xg3qeuRC/3IrQUK9vy5oI2i9uQRK/ LdhcQB80F582
Rk13gI31CGXhSrNUVKtVIexWYtdpaF9oMacAnjhhViTLU69jo08Kxpw+KqS9 j0LSvqxhVx26
OaPQqGifCDvfgw2UbGMsgK7qDF265vtj6oLVAfZ/N4KfJgOj0fS430zs2Fib aavWUjAhqGsO
+0x8I55NXa6ChwJYMeoJc58TGiVLzSiWRV6rC5j0rBDF7uMeK9qmZRxJ/DZH qpYxCEToUvOY
6qrEMzcR1Ft9Fwyz0+DM9THTaVWj9k12a8XVrsVwCtjy6VDbtnLaVojK7qV+ 9UnLIf/UR5g2
cqG1HSXN92Ro3IX7pIZTMNoZ1xiCQfQI1Bwkx8hdRxOZqh23TuGo7aSmkc/f bzjMqcAI32T9
u0L7GCvNADPOPvSgoHbmiRDZPxxf168kMWGAbfgbRQlj38clRFjgKSXrQ7sZ Ow1WWWjNlX0T
Th0qOD03Q6oLQ46+BjiYKZxCmaLRA+eO61nN/G0TQLd22LzEL9+ryoWjGRmZ d+d371jlzRCX
iY7PJT5WiCHzFZ8yBoTXsryaTyExggMOMIIDCgIBATBaMFQxFDASBgNVBAoT C0NBY2VydCBJ
bmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMT E0NBY2VydCBD
bGFzcyAzIFJvb3QCAi6dMAkGBSsOAwIaBQCgggGJMBgGCSqGSIb3DQEJAzEL BgkqhkiG9w0B
BwEwHAYJKoZIhvcNAQkFMQ8XDTA3MDcyNTE1MTUzMFowIwYJKoZIhvcNAQkE MRYEFEmlmnek
nKUg33Meqp5Bl7W48H+yMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcw DgYIKoZIhvcN
AwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo MGkGCSsGAQQB
gjcQBDFcMFowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0 dHA6Ly93d3cu
Q0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdAICLp0w awYLKoZIhvcN
AQkQAgsxXKBaMFQxFDASBgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVo dHRwOi8vd3d3
LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QCAi6d MA0GCSqGSIb3
DQEBAQUABIIBAGrov5bq0CVb95EultsHOm2fA9yVr/Nar8ZQZ2N3AHk/K6hI mImCU/m4lKhL
STFh6Ys6IylsDDnTiSVn1hhPU3mpm6RB/vqqB0iktZ8L5bh5DyvT+Y3PM8a9 K6CMz+a4wpuT
M3Fxdr/MBGCLtFWaP2riGJZw4msMzTOUddY5aE6xRCDvusiEs55cDHhFphTP x6nRBXIQBqDN
hgF/OjvXpRRDAo8hv7T2qqEr7k0K3R6tHm5ltqVM7cT6QdOWCPKoGLU3NZCu 8c6QtcnaD7lb
2kP8lNvXUgqCjz6ot/ceIWIewnKFwDo3MmKplcHbHcbY6uFcmObLfOu0A0hG yFpBQvcAAAAA
AAA=
--------------ms090909030905070202000605--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org