[Solved] resource protection restrictive access policy

Added by dirk4000 over 7 years ago

I would like to realize resource protection so most resources should be protected (only accessible by admin users) as default but some resources should be also accessible by users and only a few resources should be accessible by anyone ...
By applying this strategy if someone would add static or dynamic resources (e.g. for fastcgi backend) the resource would be automatically be protected with the highest protection level even if the webserver configuration file would not have been changed.

There is no problem to specify the resource protection for auth_admin and auth_useradmin but how could we specify the unprotected ressources "/public" (auth_any) ?

var.auth_admin = ("method" => "digest", "realm" => "protected area","require" => "user=Admin" )
var.auth_useradmin = ("method" => "digest", "realm" => "protected area","require" => "user=Admin|user=User" )
var.auth_any = ("method" => "" ) # this does not work, so how to achieve it ?

auth.require = (
"/" => auth_admin,
"/service/info" => auth_useradmin,
"/public" => auth_any

Replies (1)

RE: resource protection restrictive access policy - Added by gstrauss over 7 years ago

There is not currently a way in lighttpd to "disable" auth.require once it has been configured.

However, since the locations you do not want to require auth are a whitelist, you can use that in a condition, and require auth to paths which do not match the whitelist

$HTTP["url"] !~ "^(?:/public|/other-safe-path)" {
  auth.require = ( ... )