cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cosign on a Sub Directory Only
Okay, so here's the scoop.
Traditionally, AuthType mechanisms have been used with Apache and
different authentication methods. So that's where we started with
Cosign. Alas, without a significant amount of re-writing, the nesting
of Cosign on and off ( there's no "AuthType none" to speak of ) proved
to be a failure. This is why we bumped cosign back a notch in the
module request/response loop ( it's at phase 3, when most mods are in
phase 4 ). This allows us to nest CosignProteced Off/On, which is
necessary for some of our more complex set ups here at Umich. For
instance, we do have cosign off for an image ( so it can load w/ or w/o
cosign ) but on for the page in question.
Keeping this in mind, I don't think we see any reason not to allow
CosignProtected Off/On in .htaccess ( people would basically just shoot
themselves in their own feet ).
Unless I hear shouts of terror, we'll be implementing this in our next
On Jul 20, 2004, at 5:52 PM, Mark Montague wrote:
On Tue, 20 Jul 2004, johanna bromberg craig wrote:
This was originally a security thought, but I'm not sure our reasons
are valid anymore. I think our original logic was not wanting users to
turn off/on Cosign if an admin had made it on/off for a whole server,
but that might be spurious. Other members of the core cosign team feel
free to speak up and correct me if there was a more pressing issue and
I've just forgotten it. ;)
I wasn't involved in those discussions, but unless there is a reason
to have a CosignProtected directive, I'd be more comfortable turning
cosign on/off with the AuthType directive. If the server admin doesn't
want users doing this, then they specify "AllowOverride -AuthConfig".
This _does_ mean that the user can't use the "require" directive
in their .htaccess files anymore, though, which is undesirable.
Right now does CosignProtected trump AuthType in all cases? If so,
I guess this would be a valid reason for keeping CosignProtected
around but not usable in .htaccess files.
LS&A Information Technology