	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cosign on a Sub Directory Only

To: Mark Montague <markmont@xxxxxxxxx>
Subject: Re: Cosign on a Sub Directory Only
From: johanna bromberg craig <canna@xxxxxxxxx>
Date: Thu, 22 Jul 2004 16:00:35 -0400
Cc: Cosign Discussion <cosign-discuss@xxxxxxxxx>
In-reply-to: <Pine.SOL.4.58.0407201748230.6371@mozi.lsait.lsa.umich.edu>
References: <BB0B0BFE-DA5B-11D8-B846-00039312D63C@umich.edu> <7EAD9B8C-DA5E-11D8-A558-000A95E48A4E@umich.edu> <40FD360D.70702@psu.edu> <AF59F2BA-DA90-11D8-A558-000A95E48A4E@umich.edu> <Pine.SOL.4.58.0407201748230.6371@mozi.lsait.lsa.umich.edu>

Okay, so here's the scoop.

Traditionally, AuthType mechanisms have been used with Apache and different authentication methods. So that's where we started with Cosign. Alas, without a significant amount of re-writing, the nesting of Cosign on and off ( there's no "AuthType none" to speak of ) proved to be a failure. This is why we bumped cosign back a notch in the module request/response loop ( it's at phase 3, when most mods are in phase 4 ). This allows us to nest CosignProteced Off/On, which is necessary for some of our more complex set ups here at Umich. For instance, we do have cosign off for an image ( so it can load w/ or w/o cosign ) but on for the page in question.

Keeping this in mind, I don't think we see any reason not to allow CosignProtected Off/On in .htaccess ( people would basically just shoot themselves in their own feet ).

Unless I hear shouts of terror, we'll be implementing this in our next release :)

-Johanna

On Jul 20, 2004, at 5:52 PM, Mark Montague wrote:

On Tue, 20 Jul 2004, johanna bromberg craig wrote:

This was originally a security thought, but I'm not sure our reasons
are valid anymore. I think our original logic was not wanting users to
turn off/on Cosign if an admin had made it on/off for a whole server,
but that might be spurious. Other members of the core cosign team feel
free to speak up and correct me if there was a more pressing issue and
I've just forgotten it. ;)


I wasn't involved in those discussions, but unless there is a reason
to have a CosignProtected directive, I'd be more comfortable turning
cosign on/off with the AuthType directive.  If the server admin doesn't
want users doing this, then they specify "AllowOverride -AuthConfig".
This _does_ mean that the user can't use the "require" directive
in their .htaccess files anymore, though, which is undesirable.
Right now does CosignProtected trump AuthType in all cases?  If so,
I guess this would be a valid reason for keeping CosignProtected
around but not usable in .htaccess files.

                Mark Montague
                LS&A Information Technology
                markmont@xxxxxxxxx

!DSPAM:40fd9462236152969210589!

References:
- Cosign on a Sub Directory Only
  - From: Beth Bridson
- Re: Cosign on a Sub Directory Only
  - From: johanna bromberg craig
- Re: Cosign on a Sub Directory Only
  - From: Phil Pishioneri
- Re: Cosign on a Sub Directory Only
  - From: johanna bromberg craig
- Re: Cosign on a Sub Directory Only
  - From: Mark Montague

Prev by Date: Re: Cosign on a Sub Directory Only
Next by Date: replication
Previous by thread: Re: Cosign on a Sub Directory Only
Next by thread: Re: Cosign on a Sub Directory Only
Index(es):
- Date
- Thread