Project

General

Profile

[Solved] Auth support for restful webapps - considering the request type while configuring the resource protection

Added by dirk4000 about 7 years ago

Hi,

lighty has the possibility to configure the protection for resources (e.g. static/dynamic):

auth.require = ( "/server-info" =>
( # limit access to server information
"method" => "digest",
"realm" => "download archiv",
"require" => "valid-user"
)
)

It would be great to extend that feature to also consider the request type, e.g.

auth.require = ( "/service/system/time" =>
( # limit read access to only valid users
"reqtype" => "GET",
"method" => "digest",
"realm" => "protected resource",
"require" => "valid-user"
),
"/service/system/time" =>
( # only "agent007" should be able to change the time
"reqtype" => "POST",
"method" => "digest",
"realm" => "protected resource",
"require" => "user=agent007"
)
)

With no given attribute "reqtype" all request methods would match (=>compatibility to lower versions of lighty is given).
Is it possible to achieve such a feature with the current version of lighty ?
If not, what do you think to implement that feature in an upcoming version (should be not so hard to implement it and should be useful for other users) ?

Dirk.


Replies (1)

RE: Auth support for restful webapps - considering the request type while configuring the resource protection - Added by gstrauss about 7 years ago

(should be not so hard to implement it and should be useful for other users)

One of the fastest ways to get ignored is to tell someone else to do work because you assume it should be easy. Nevermind if it is the right thing to do or not.

Is it possible to achieve such a feature with the current version of lighty ?

One quick answer is that whatever handles the POST could verify REMOTE_USER is set to an authorized user, which in your example, is agent007.

Another quick answer is to read the lighttpd doc. If you want to keep the auth in lighttpd.conf, then yes, lighttpd can do it. See Docs_Configuration and $HTTP["request-method"]. Realize that if you're asking that question, you're in absolutely no position to gauge whether it is easy or not to modify lighttpd code to do what you suggest above. Please move along and refer to the documentation.

    (1-1/1)