Category Archives: authorization

How to set an Authorization Header with Apache 2.4?

I'm currently developing a webmapping application. I'm using Apache 2.4, PHP, Javascript and Dojo (a javascript library used for mapping). Dojo is making request to webservices (hosted on https:// host/server/rest/services/... and managed by another department in my company). But in order to access those webservices, an authentication with Basic is required.

Because they're not implementing token authentication like they should (that we could use with dojo), a popup appears when we connect to the application in order to access the data in the webservices. I would like to configure Apache (my httpd.conf) in order to avoid this popup for our users and that I set a correct Authorization header that would be sent with every request Dojo makes to our webservices.

My first idea was to set the Header with headers_module

RequestHeader set Authorization "Basic ****" 

and then use rewrite_module with what I found online:

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)$ [NC]
RewriteRule /.* - [E=HTTP_AUTHORIZATION:%1]

but it doesn't seem to work because if I check with:

$headers = apache_request_headers();
$server = $_SERVER["HTTP_AUTHORIZATION"];

$headers contains what I want, but $server doesn't

So I moved on and decided to go with the setenvif_module which seemed to be the good solution. I now have:

RequestHeader set Authorization "Basic ****"
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

even though I don't understand what the $1 means and what it does.

To explain further, my application has a login page index.php where no requests to host/server/rest/services are made and HTTP_AUTORIZATION looks empty. Once I log in to my page application.php, all the request are made, HTTP_AUTHORIZATION seems to be filled with what I want "Basic ****", but an empty REDIRECT_HTTP_AUTHORIZATION appears and the popup from the webservices asking for an user and a password still appears.

Do you have any idea of what I missed or might have done wrong ?
Thank you for your help.

How to set an Authorization Header with Apache 2.4?

I'm currently developing a webmapping application. I'm using Apache 2.4, PHP, Javascript and Dojo (a javascript library used for mapping). Dojo is making request to webservices (hosted on https:// host/server/rest/services/... and managed by another department in my company). But in order to access those webservices, an authentication with Basic is required.

Because they're not implementing token authentication like they should (that we could use with dojo), a popup appears when we connect to the application in order to access the data in the webservices. I would like to configure Apache (my httpd.conf) in order to avoid this popup for our users and that I set a correct Authorization header that would be sent with every request Dojo makes to our webservices.

My first idea was to set the Header with headers_module

RequestHeader set Authorization "Basic ****" 

and then use rewrite_module with what I found online:

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)$ [NC]
RewriteRule /.* - [E=HTTP_AUTHORIZATION:%1]

but it doesn't seem to work because if I check with:

$headers = apache_request_headers();
$server = $_SERVER["HTTP_AUTHORIZATION"];

$headers contains what I want, but $server doesn't

So I moved on and decided to go with the setenvif_module which seemed to be the good solution. I now have:

RequestHeader set Authorization "Basic ****"
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

even though I don't understand what the $1 means and what it does.

To explain further, my application has a login page index.php where no requests to host/server/rest/services are made and HTTP_AUTORIZATION looks empty. Once I log in to my page application.php, all the request are made, HTTP_AUTHORIZATION seems to be filled with what I want "Basic ****", but an empty REDIRECT_HTTP_AUTHORIZATION appears and the popup from the webservices asking for an user and a password still appears.

Do you have any idea of what I missed or might have done wrong ?
Thank you for your help.

Apache – external token authentication

I am looking for a possibility to grant access to my website only by a token and to check my token by an external script (php or bash).

The URL looks like: https://example.com?t=f4V76tf784Tcf8343cAg

The apache Server have to handle this check. It has to pass the token to an external script for validation.

  • On positive validation, the user should get access for 12 hours. The token is then no longer needed for this period.

  • On negative validation the user should get a 403 Forbidden.

Are Apache modules helpful like mod_auth_token or mod_authnz_external?

Can’t get header Authorization in PHP

I have a CakePHP REST API working. I need basic authentication, using Authorization header.

In a server which I have the REST API, it works, I get the Authorization header OK. But in another server, I have exactly the same .htaccess but the Authorization header returns empty string. After searching Google for hours and didn't find solution, I post the problem here.

My .htaccess :

<IfModule mod_rewrite.c>
    RewriteEngine on
    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    RewriteCond %{HTTP:Authorization} ^(.*) 
    RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
    RewriteRule    ^$    webroot/    [L] #this line is added by CakePHP
    RewriteRule    (.*) webroot/$1    [L] #this line is added by CakePHP
</IfModule>

The second server, where the Authorization header not works, has the mod_rewrite module enabled. Also the first server.

I detect that I get the Authorization value (a string token) in the REDIRECT_HTTP_AUTHORIZATION but I need to get it in the HTTP_AUTHORIZATION header because of architecture of the app.

Any suggestion? Thanks!

Apache24 authn_dbd

I am doing the basic authentication via the Apache authn_dbd but I can not proceed further. I always gets the Password Missmatch.

It was working on AP22 with the deprecated auth_mysql module but now i had to switch to authn_dbd.

The auth_mysql got something like AuthMySQLPwEncryption and it was working like a charm but the authn_dbd does not somethink like that there.

Could someone please advice what to do now ?

What I am doing bad ?

Thanks.

Authorization header is empty on PHP var_dump()

I'm sending a header to server with the following request headers:

Host: xx.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: xx.com
Authorization: Bearer mytoken1234
X-Requested-With: XMLHttpRequest
Connection: keep-alive

On my php file I'm trying to view the headers with var_dump() and it shows following:

["HTTP_ACCEPT"]=>
  string(74) "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
 ["HTTP_ACCEPT_ENCODING"]=>
  string(13) "gzip, deflate"
  ["HTTP_ACCEPT_LANGUAGE"]=>
  string(23) "en-US,en;q=0.8,fi;q=0.6"
  ["HTTP_AUTHORIZATION"]=>
  string(0) ""
  ["HTTP_CACHE_CONTROL"]=>
  string(9) "max-age=0"
  ["HTTP_CONNECTION"]=>
  string(10) "keep-alive"
  ["HTTP_COOKIE"]=>
  string(71) "cpsession=scocta5%3aBcbKZGvPoUCv2Yhb%2c2dc8a5c3bd6713b6ab029f16a46980e7"

I tried adding following lines to my .htaccess:

   SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

or

   RewriteEngine On
   RewriteCond %{HTTP:Authorization} ^(.*)
   RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

Without these settings, Authorization header was not showing on var_dump() at all but now it's just string(0) "". Why isn't my server getting the Authorization header content?

convert rewrite rule from apache to nginx authorization request header modify

I'm currently trying to translate an Apache 2 Rewrite rule to Nginx and I'm struggling to convert it properly:

RewriteCond %{REQUEST_URI} /graphics/forestplot/ [NC]
RewriteCond %{HTTP:Authorization} ^$
RewriteCond %{HTTP:Cookie} (^|;\ *)access_token=([^;\ ]+)
RewriteCond %2 !=-1
RewriteRule .* - [E=AUTH_TOKEN:%2]
RequestHeader set Authorization "Bearer %{AUTH_TOKEN}e"     env=AUTH_TOKEN

The previous block basically checks if the request is for /graphics/forestplot/ and it gets the access_token from the request cookie and rewrites it onto an Authorization header.

This is what I've done so far...

map $cookie_access_token $auth_header {
default $cookie_access_token;
'-1' '';
'' '';
}

server {

location /graphics/forestplot/ {

     if ($auth_header ~ '.') {
      set $auth_header "Bearer ${auth_header}";
     }

     if ($http_authorization ~ '.') {
      set $auth_header $http_authorization;
     }

     proxy_set_header Authorization $auth_header;

     proxy_pass http://localhost:4000/;

    }
}

My code doesn't seem to do what I want when a blank 'Authorization' request is sent along with the http request. It does work in other cases, I have run out of ideas, any help will be very appreciated.

Thanks in advance

Restrict access to IP with htaccess

i need restrict access to all except some ip, i place into .htaccess this lines:

Require all denied
Require ip 1.1.1.1 2.2.2.2

In this case, the access is denied for all, i f i use:

Require all granted
Require ip 1.1.1.1 2.2.2.2

All can access to directory.

AllowOverride directive is set to All, mod_rewrite is installed and mod_authz is loaded, apache 2.4 installed into ubuntu server, any ideas?

UPDATE

I have tried also with

Require all denied
Require ip 1.1.1.1 
Require ip 2.2.2.2

But nothing...