: Different authentication for HTTP POST and GET requests in Apache I want to authenticate for POST requests for http://path/to/logical/abc.xml (but not GET requests to that URL). How do I put
I want to authenticate for POST requests for path/to/logical/abc.xml (but not GET requests to that URL).
How do I put constraints like this in place? The paths are logical and location directive is not supported in .htaccess.
More posts by @Shanna517
3 Comments
Sorted by latest first Latest Oldest Best
If what you want is to let the request pass and be processed, by anything on the server, like perl, PHP, etc, you can something like this:
RewriteCond %{REQUEST_METHOD} !^(HEAD|POST)
RewriteRule .* - [F]
That way you allow POST and HEAD request but block all the rest
I guess something like this should work. I haven't tested it though.
<Limit POST>
Require valid-user
</Limit>
This can be accomplished using a PHP server-side script as follows (you may wish to customise/improve the user credentials storage and authentication mechanism somewhat!):
<?php
$sRealmName = 'Restricted Area';
$aUsers = array( 'admin' => 'admin', 'guest' => 'guest' );
if( $_SERVER['REQUEST_METHOD'] == 'POST' ) {
if( empty( $_SERVER['PHP_AUTH_DIGEST'] )) {
header( 'HTTP/1.1 401 Unauthorized' );
header( 'WWW-Authenticate: Digest realm="' . $sRealmName
. '",qop="auth",nonce="' . uniqid() . '",opaque="'
. md5( $sRealmName ).'"' );
die( '401 Unauthorized: Login Required' );
}
$aParameters = array( 'nonce' => 1, 'nc' => 1, 'cnonce' => 1,
'qop' => 1, 'username' => 1, 'uri' => 1, 'response' => 1 );
$sKeys = implode( '|', array_keys( $aParameters ));
preg_match_all( '@(' . $sKeys . ')=(?:(['"])([^2]+?)2|([^s,]+))@',
$_SERVER['PHP_AUTH_DIGEST'], $aMatches, PREG_SET_ORDER );
$aHttpAuthData = array();
foreach( $aMatches as $aMatch ) {
$aHttpAuthData[$aMatch[1]] = $aMatch[3] ? $aMatch[3] : $aMatch[4];
unset( $aParameters[$aMatch[1]] );
}
$aData = $aParameters ? false : $aHttpAuthData;
if( !$aData || !isset( $aUsers[$aData['username']] )) {
header( 'HTTP/1.1 401 Unauthorized' );
header( 'WWW-Authenticate: Digest realm="' . $sRealmName
. '",qop="auth",nonce="' . uniqid() . '",opaque="'
. md5( $sRealmName ).'"' );
die( '401 Unauthorized: Login Incorrect' );
}
$sMd5User = md5( $aData['username'] . ':' . $sRealmName . ':' .
$aUsers[$aData['username']]);
$sMd5Request = md5( $_SERVER['REQUEST_METHOD'] . ':' . $aData['uri'] );
$sMd5Digest = md5( $sMd5User . ':' . $aData['nonce'] . ':'
. $aData['nc'] . ':' . $aData['cnonce']. ':' .$aData['qop'] . ':'
. $sMd5Request );
if( $aData['response'] != $sMd5Digest ) {
header( 'HTTP/1.1 401 Unauthorized' );
header( 'WWW-Authenticate: Digest realm="' . $sRealmName
. '",qop="auth",nonce="' . uniqid() . '",opaque="'
. md5( $sRealmName ) . '"' );
die( '401 Unauthorized: Login Incorrect' );
}
}
header( "Expires: Mon, 26 Jul 1997 05:00:00 GMT" );
header( "Last-Modified: " . gmdate( "D, d M Y H:i:s" ) . " GMT" );
header( "Cache-Control: no-store, no-cache, must-revalidate" );
header( "Cache-Control: post-check=0, pre-check=0", false );
header( "Pragma: no-cache" );
header( "Content-type: application/xml" );
echo( '<?xml version="1.0" encoding="UTF-8"?>' . "rn" );
echo( '<envelope attribute="value">' . "rn" );
echo( '<node attribute="value"></node>' . "rn" );
echo( '</envelope>' . "rn" );
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.