Would this be the correct module to use if I want to use FORM based authentication against a mySQL database?
Currently, I have Tomcat 5 connected to Apache2 via mod_jk. I'm currently able to require user/pass authentication to access any web applications. However, if there is a link to a static page contained within $APACHE_HOME/htdocs, the user can easily bypass the login page by manually modifying the URL to access the static content within htdocs. How can I secure this?
Thanks!!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This is one way to do authentication of static pages. mod_auth is another way, and there are numerous other ways.
But to do it against an MySQL database, this will work just great.
You will need to install mod_auth_mysql then set up the appropriate access in httpd.conf or .htaccess to secure the pages you wish. The Apache documentation has more information on general access control and the mod_auth_mysql doc contains info specific to the module.
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the info. I will install the module and see how far I can get. I am a system administrator and do not have much experience in configuring a webserver. I have learned a lot thus far with getting apache and tomcat connected together. Thanks for the info. I will let you know how things go.
ktreese
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I already have Tomcat working. It's all configured and what not. I currently have a login.jsp page in $CATALINA_HOME/webapps/ROOT. This is the page I'd like to use to authenticate users before they can get access anywhere -- including htdocs. Am I off base?
Thanks !!
ktreese
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
mod_auth_mysql (and other Apache authentication/authorization modules) work with Apache and your browser.
When Apache detects access to a protected directory, it sends a request to the browser for a userid and password. The first time the browser sees this, it will open a popup window requesting the information. (On further requests, the browser already has the userid/password, and just passes it on without opening the window.) Apache then passes this information on to the appropriate authentication/authorization module to check validity.
You seem to be doing your own authentication outside of Apache. This won't work with the Apache authentication method.
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Would this be the correct module to use if I want to use FORM based authentication against a mySQL database?
Currently, I have Tomcat 5 connected to Apache2 via mod_jk. I'm currently able to require user/pass authentication to access any web applications. However, if there is a link to a static page contained within $APACHE_HOME/htdocs, the user can easily bypass the login page by manually modifying the URL to access the static content within htdocs. How can I secure this?
Thanks!!
Ktreese,
This is one way to do authentication of static pages. mod_auth is another way, and there are numerous other ways.
But to do it against an MySQL database, this will work just great.
You will need to install mod_auth_mysql then set up the appropriate access in httpd.conf or .htaccess to secure the pages you wish. The Apache documentation has more information on general access control and the mod_auth_mysql doc contains info specific to the module.
Jerry
Jerry --
Thanks for the info. I will install the module and see how far I can get. I am a system administrator and do not have much experience in configuring a webserver. I have learned a lot thus far with getting apache and tomcat connected together. Thanks for the info. I will let you know how things go.
ktreese
ktreese,
Don't worry - mod_auth_mysql is MUCH easier than Tomcat to get working! :-)
Jerry
Jerry --
I already have Tomcat working. It's all configured and what not. I currently have a login.jsp page in $CATALINA_HOME/webapps/ROOT. This is the page I'd like to use to authenticate users before they can get access anywhere -- including htdocs. Am I off base?
Thanks !!
ktreese
ktreese,
Sorry, this won't work.
mod_auth_mysql (and other Apache authentication/authorization modules) work with Apache and your browser.
When Apache detects access to a protected directory, it sends a request to the browser for a userid and password. The first time the browser sees this, it will open a popup window requesting the information. (On further requests, the browser already has the userid/password, and just passes it on without opening the window.) Apache then passes this information on to the appropriate authentication/authorization module to check validity.
You seem to be doing your own authentication outside of Apache. This won't work with the Apache authentication method.
Jerry
Thanks for the direction Jerry. I really want to avoid that ugly pop-up dialog window presented by the browser. I'll keep looking around.