Discussion:
Regular expressions in LocationMatch
(too old to reply)
Rob
2008-11-27 11:21:03 UTC
Permalink
Hello everybody.

This is my first post in the group so be patient :-)

I've configured the mod_xradius with Apache 2.2.8 as to protect a given
application which gets accessed using an HW token.

This application gets accessed using the following URL:

http://servername/sgd/index.jsp?langSelected=en

I'd like to use a regular expression as to only protect this URL since,
during login and logout, a similar URL gets processed by Apache which
triggers another authentication process.

As an example, as soon as the user enters the above URL, the browser
gets redirected with the following:

http://<server>/sgd/index.jsp?langSelected=en&ko=<numero>&langSelected=en

Since I'm not allowed to use the XRADIUS cache, the use will end up
having to enter his credentials twice.

The LocationMatch definition which works so far is the following:

<LocationMatch "/sgd/index.jsp(.*)">
Order Allow,Deny
AuthType Basic
AuthName "Radius username and password"
AuthBasicProvider xradius
AuthXRadiusAddServer "<radius_ip>" "secret"
AuthXRadiusTimeout 7
AuthXRadiusRetries 2
AuthXRadiusRejectBlank on
require valid-user
Satisfy any
</LocationMatch>


I've tried by defining

<LocationMatch "^/sgd/index.jsp?langSelected=en$">

but that does not get recognized by the browser.

Am I missing something or what?

I've also tried by escaping the metacharacters

<LocationMatch "^/sgd/index\.jsp\?langSelected=en$">

but unsuccessfully.

Any ideas?

Thanks,
Rob
phantom
2008-11-27 11:55:08 UTC
Permalink
Post by Rob
Hello everybody.
This is my first post in the group so be patient :-)
I've configured the mod_xradius with Apache 2.2.8 as to protect a given
application which gets accessed using an HW token.
http://servername/sgd/index.jsp?langSelected=en
I'd like to use a regular expression as to only protect this URL since,
during login and logout, a similar URL gets processed by Apache which
triggers another authentication process.
As an example, as soon as the user enters the above URL, the browser
http://<server>/sgd/index.jsp?langSelected=en&ko=<numero>&langSelected=en
Since I'm not allowed to use the XRADIUS cache, the use will end up
having to enter his credentials twice.
<LocationMatch "/sgd/index.jsp(.*)">
Order Allow,Deny
AuthType Basic
AuthName "Radius username and password"
AuthBasicProvider xradius
AuthXRadiusAddServer "<radius_ip>" "secret"
AuthXRadiusTimeout 7
AuthXRadiusRetries 2
AuthXRadiusRejectBlank on
require valid-user
Satisfy any
</LocationMatch>
I've tried by defining
<LocationMatch "^/sgd/index.jsp?langSelected=en$">
but that does not get recognized by the browser.
Am I missing something or what?
The query string is not part of the location, which is why you cannot match
against it - you should find that:
<LocationMatch "^/sgd/index.jsp$">
matches everything that your current working match does.
Rob
2008-11-27 12:34:21 UTC
Permalink
Post by phantom
Post by Rob
Hello everybody.
This is my first post in the group so be patient :-)
I've configured the mod_xradius with Apache 2.2.8 as to protect a given
application which gets accessed using an HW token.
http://servername/sgd/index.jsp?langSelected=en
I'd like to use a regular expression as to only protect this URL since,
during login and logout, a similar URL gets processed by Apache which
triggers another authentication process.
As an example, as soon as the user enters the above URL, the browser
http://<server>/sgd/index.jsp?langSelected=en&ko=<numero>&langSelected=en
Since I'm not allowed to use the XRADIUS cache, the use will end up
having to enter his credentials twice.
<LocationMatch "/sgd/index.jsp(.*)">
Order Allow,Deny
AuthType Basic
AuthName "Radius username and password"
AuthBasicProvider xradius
AuthXRadiusAddServer "<radius_ip>" "secret"
AuthXRadiusTimeout 7
AuthXRadiusRetries 2
AuthXRadiusRejectBlank on
require valid-user
Satisfy any
</LocationMatch>
I've tried by defining
<LocationMatch "^/sgd/index.jsp?langSelected=en$">
but that does not get recognized by the browser.
Am I missing something or what?
The query string is not part of the location, which is why you cannot match
<LocationMatch "^/sgd/index.jsp$">
matches everything that your current working match does.
You're quite correct!

In fact,

<LocationMatch "^/sgd/index.jsp$">

matches my previous regexp.

Unfortunately, that does not solve the problem :-(

I've tried by adding:

SetEnvIf URI .*ko=.* auth_bypass

and thus modifying the LocationMatch as to add

Allow from env auth_bypass

but I'm always prompted for a douple RADIUS authentication.

The actual syntax is as follows:

SetEnvIf Request_URI ".*ko=.*" sgd_noauth_ok
AuthXRadiusCache none -

<LocationMatch "^/sgd/index.jsp$">
Order Allow,Deny
Allow from env=sgd_noauth_ok
AuthType Basic
AuthName "Radius username and password"
AuthBasicProvider xradius
AuthXRadiusAddServer "<radius_ip>" "<secret>"
AuthXRadiusTimeout 7
AuthXRadiusRetries 2
AuthXRadiusRejectBlank on
require valid-user
Satisfy any
</LocationMatch>

Thanks,
Rob
phantom
2008-11-27 13:03:06 UTC
Permalink
Post by Rob
Post by phantom
Post by Rob
I've configured the mod_xradius with Apache 2.2.8 as to protect a given
application which gets accessed using an HW token.
http://servername/sgd/index.jsp?langSelected=en
I'd like to use a regular expression as to only protect this URL since,
during login and logout, a similar URL gets processed by Apache which
triggers another authentication process.
As an example, as soon as the user enters the above URL, the browser
http://<server>/sgd/index.jsp?langSelected=en&ko=<numero>&langSelected=en
Since I'm not allowed to use the XRADIUS cache, the use will end up
having to enter his credentials twice.
<LocationMatch "/sgd/index.jsp(.*)">
I've tried by defining
<LocationMatch "^/sgd/index.jsp?langSelected=en$">
but that does not get recognized by the browser.
Am I missing something or what?
The query string is not part of the location, which is why you cannot match
<LocationMatch "^/sgd/index.jsp$">
matches everything that your current working match does.
You're quite correct!
SetEnvIf Request_URI ".*ko=.*" sgd_noauth_ok
<excuse the hefty snipping>

The Request_URI doesn't contain the query string either!

To set the environment variable, you can try using the rewrite engine:

RewriteEngine on
RewriteCond %{QUERY_STRING} ko=
RewriteRule ^(.*)$ $1 [E=sgd_noauth_ok,L]
Rob
2008-11-27 13:42:48 UTC
Permalink
Post by phantom
<excuse the hefty snipping>
You're more than WELCOME!

Thanks again for the time you're devoting to this issue.

I'm not a great Apache expert but I think we're approaching a solution.
Post by phantom
The Request_URI doesn't contain the query string either!
RewriteEngine on
RewriteCond %{QUERY_STRING} ko=
RewriteRule ^(.*)$ $1 [E=sgd_noauth_ok,L]
I turned on the RewriteEngine but still I have a double RADIUS auth
request :-(

This is the actual config:

RewriteEngine on
RewriteCond %{QUERY_STRING} ko= [OR]
RewriteCond %{QUERY_STRING} action=
RewriteRule ^(.*)$ $1 [E=ko_noauth_ok,L]

I added another condition (assuming I coded that right) since I noticed
from the logs that the RADIUS authentication got triggered by the
following (from error_log):

[error] [client 192.168.68.100] user myuser: authentication failure for
"/sgd/index.jsp": Password Mismatch, referer:
http://ssgd.test.strhold.it/sgd/webtops/standard/webtop/logged-out.jsp?ENTRY_URL=/index.jsp?langSelected=en&name=Logout&action=changed&data=ssgd.test.strhold.it%3A1227792127987%3A4867977237099526747

[error] [client 192.168.68.100] user myuser: authentication failure for
"/sgd/index.jsp": Password Mismatch, referer:
http://ssgd.test.strhold.it/sgd/index.jsp?langSelected=en

While the second is expected (and it's the login page) the first one
gets triggered as to actually log the use out of the application.

If you're interested, the underlying application is Sun Secure Global
Desktop (AKA Tarantella) which is "powered" by both Apache and Tomcat.

If you need more details, please let me know.

Thanks,
Rob
phantom
2008-11-27 14:42:15 UTC
Permalink
Post by Rob
Post by phantom
<excuse the hefty snipping>
You're more than WELCOME!
Thanks again for the time you're devoting to this issue.
I'm not a great Apache expert but I think we're approaching a solution.
Post by phantom
The Request_URI doesn't contain the query string either!
RewriteEngine on
RewriteCond %{QUERY_STRING} ko=
RewriteRule ^(.*)$ $1 [E=sgd_noauth_ok,L]
I turned on the RewriteEngine but still I have a double RADIUS auth
request :-(
RewriteEngine on
RewriteCond %{QUERY_STRING} ko= [OR]
RewriteCond %{QUERY_STRING} action=
RewriteRule ^(.*)$ $1 [E=ko_noauth_ok,L]
There's a small problem with the syntax I used, it appears the environment
variable needs to have an explicit value -
RewriteRule ^(.*)$ $1 [E=ko_noauth_ok:1,L]
Rob
2008-11-27 15:14:16 UTC
Permalink
Post by phantom
Post by Rob
Post by phantom
<excuse the hefty snipping>
You're more than WELCOME!
Thanks again for the time you're devoting to this issue.
I'm not a great Apache expert but I think we're approaching a solution.
Post by phantom
The Request_URI doesn't contain the query string either!
RewriteEngine on
RewriteCond %{QUERY_STRING} ko=
RewriteRule ^(.*)$ $1 [E=sgd_noauth_ok,L]
I turned on the RewriteEngine but still I have a double RADIUS auth
request :-(
RewriteEngine on
RewriteCond %{QUERY_STRING} ko= [OR]
RewriteCond %{QUERY_STRING} action=
RewriteRule ^(.*)$ $1 [E=ko_noauth_ok,L]
There's a small problem with the syntax I used, it appears the environment
variable needs to have an explicit value -
RewriteRule ^(.*)$ $1 [E=ko_noauth_ok:1,L]
Hi.


That did the trick!

THANKS!

Meanwhile, I've been able to find another working solution: since SSGD
executes a JSP page when the user is logged out, I've been able to use the

document.execCommand("ClearAuthenticationCache")

javascript function as to clear out the user credentials. Now, even if I
set the AuthXRadiusCacheTimeout to a huge value (eg, 86400) the above
routine will clear the user credentials.

Again, THANK YOU VERY MUCH for your help!

I owe you a beer (or whatever you like to drink) should you ever come to
visit Italy!

Ciao,
Rob

Loading...