Apache permissions based on querystring

In Apache 2.4 there's an easier way to do this without the rewrite.

You can use LocationMatch to match upto the QUERY_STRING, and then use an If block to match the contents of QUERY_STRING. i.e., something like this:

<LocationMatch "^/foo/api.php">
  <If "%{QUERY_STRING} =~ /.*Task=DoStuff.*/" >
       Require all granted
  </If>
</LocationMatch>

As you can read here:

The <Location>, <LocationMatch>, <Directory> and <DirectoryMatch> Apache directives allow us to apply authentication/authorization to specific patterns of resources with a high degree of specificity, but do not give us that control down to the query-string level.

Therefore, you have to use mod_rewrite to achieve you goal.
For example:

RewriteEngine on
RewriteCond %{QUERY_STRING} Task=DoStuff
RewriteRule ^/foo/api.php - [E=no_auth_required:1]

<LocationMatch ^/foo/api.php>
      Order allow,deny
      Allow from env=no_auth_required
      AuthType Basic
      AuthName "Login Required"
      AuthUserFile /var/www/foo/.htpasswd
      require valid-user
      Satisfy Any
</LocationMatch>

UPDATE

You've stated that:

If I just filter ^/foo/api.php I get passed the authentication, but this isn't strict enough.

Then, try adding the following rows to your configuration:

RewriteEngine on
RewriteCond %{QUERY_STRING} Task=DoStuff
RewriteRule ^/foo/api.php - [E=no_auth_required:1]

<LocationMatch ^/foo/api.php>
      Order allow,deny
      Allow from env=no_auth_required
</LocationMatch>

Apache permissions based on querystring

Tags:

Apache

Configuration

Kerberos

Related

Recent Posts