Home / server / Questions / 404149
Accepted
petRUShka
Asked: 2012-07-03 10:03:48 +0800 CST

How can I disable Kerberos authentication for only the root of my site?

  • 772

I have Kerberos-based authentication and I want to disable it on only root url: http://mysite.com/. And I want it to continue to work fine on any other page like http://mysite.com/page1.

I have such things in my .htaccess:

AuthType Kerberos
AuthName "Domain login"
KrbAuthRealms DOMAIN.COM
KrbMethodK5Passwd on
Krb5KeyTab /etc/httpd/httpd.keytab
require valid-user

I want to turn it off only for root URL. As workaround it is possible to turn off using .htaccess in virtual host config. Unfortunately I don't know how to do it.

Part of my vhost.conf:

    <Directory /home/user/www/current/public/>
            Options -MultiViews +FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
    </Directory>

UPD. I'm using Apache/2.2.3 (Linux/SUSE)

I tried to use such version of .htaccess:

SetEnvIf Request_URI ^/$ rootdir=1
Allow from env=rootdir
Satisfy Any
AuthType Kerberos
AuthName "Domain login"
KrbAuthRealms DOMAIN.COM
KrbMethodK5Passwd on
Krb5KeyTab /etc/httpd/httpd.keytab
require valid-user

Unfortunately such config turn Kerberos AuthType for all URLs. I tried to place first 3 lines

SetEnvIf Request_URI ^/$ rootdir=1
Allow from env=rootdir
Satisfy Any

after main block, but it didn't help me.

apache-2.2 url authentication kerberos authorization

3 Answers

  1. Best Answer

    I moved mod_auth_kerb configuration to vhost.conf. And used Location directive to turn off authorisation on some URLs.

        # root_url
    <LocationMatch "(^\/$|^$)">
            Satisfy Any
    </LocationMatch>
    <Location /incidents/last>
            Satisfy Any
    </Location>

    <Directory /home/user/www/>
            Options -MultiViews +FollowSymLinks
            AllowOverride None
            Order allow,deny
            Allow from all
            AuthType Kerberos
            AuthName "Domain login"
            KrbAuthRealms DOMAIN.COM
            KrbMethodK5Passwd On
            Krb5KeyTab /etc/httpd/httpd.keytab
            require valid-user
    </Directory>

    That solved my problem.

    • 2

  2. How you do this will depend on whether you are using Apache 2.2 or Apache 2.4. I haven't actually tested these so it's entirely possible that it won't work at all or may need some tweaking.

    For 2.2 we can use SetEnvIf to set a variable if they are requesting / and use Allow from and Satisfy any to control access. All of your existing config should stay as it is:

    SetEnvIf Request_URI ^/$ rootdir=1
Allow from env=rootdir
Satisfy Any

    With 2.4 there are changes to authentication and authorisation. We now have a set of <Require> blocks which you can wrap around any access control to fine-tune authorisation:

    SetEnvIf Request_URI ^/$ rootdir=1

<RequireAny>
  AuthType Kerberos
  AuthName "Domain login"
  KrbAuthRealms DOMAIN.COM
  KrbMethodK5Passwd on
  Krb5KeyTab /etc/httpd/httpd.keytab
  Require valid-user
  Require env rootdir=1
</RequireAny>

    The <RequireAny> block means that any one of the Require directives must match for authorisation to succeed. There are also <RequireAll> and <RequireNone> blocks.

    • 0

  3. Try AllowOverride None It will disable the .htacess

    • -1