[ic] passwording admin area via Apache
Mike Heins
interchange-users@icdevgroup.org
Fri Oct 18 14:02:00 2002
Quoting Stefan Hornburg (Racke) (racke@linuxia.de):
> On Fri, 18 Oct 2002 13:43:36 -0400
> Mike Heins <mike@perusion.com> wrote:
>
> >
> > Quoting Dennis Chen (dchen@technicacorp.com):
> > > > Has anyone successfully used Apache authentication to add an
> > > > additional
> > > > username/password protection on the admin area (and not the customer
> > > > part of the site)?
> > > >
> > > > I've been yet unable to use Apache style authentication (having and
> > > > .htaccess file, or a </Directory> section in the httpd.conf file) to
> > > > protect anything other than the entire catalog (by specifying the
> > > > authentication in the cgi-bin directory).
> > > >
> > > > Thanks for any help,
> > > > Daniel
> > >
> > >
> > > I was looking into also that but couldn't figure out a solution so in the end
> > > I just decided to rename my admin/login.html to something else...
> >
> > It is extremely easy to do in Apache -- and has undoubtedly been put on the
> > mail list many times. Here it is once again:
> >
> > <LocationMatch /cgi-bin/*/(ui$|admin/)>
> > AuthUserFile /etc/httpd/conf/htpasswd
> > AuthGroupFile /etc/httpd/conf/htgroup
> > AuthName Interchange-Admin
> > AuthType Basic
> > <Limit GET POST PUT>
> > require group icadmin
> > </Limit>
> > </LocationMatch>
>
> But that didn't protect any queries via the virtual process URL issued from
> within the UI.
>
Which is why I am moving more and more often to this idiom in the
UI:
<form action="[area admin/page_to_go_to]">
<input type=hidden name=mv_action value=return>
....
</form>
I think you will find there are not that many [process] tags in
the devel UI. It would be a useful goal to remove them all.
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.513.523.7621 <mike@perusion.com>
For a successful technology, reality must take precedence over public
relations, for Nature cannot be fooled. -- Dick Feynman