2

I couldn't think of a good title for this. Basically I have basic auth that covers the whole site from /, but I want urls with certain parameters to be excluded from authentication.

Example: do not authenticate if there is a parameter named "zzz"

Protected
http://example.com/
http://example.com/?xxx=xxx&yyy=yyy

Not Protected
http://example.com/?zzz=zzz
http://example.com/?xxx=xxx&zzz=zzz

Tried doing something like

<LocationMatch "/zzz/">
  Allow from all
  Satisfy any
</LocationMatch>

with now avail. From what I understand parameters do not seem to be seen by the LocationMatch, is this correct? or am I doing it all wrong?

Saifis
  • 209
  • 3
  • 13
  • 1
    `LocationMatch` as well as `Location` directives do not work with query string parameters -- only with path part of the URL: http://httpd.apache.org/docs/current/mod/core.html#location. – LazyOne Aug 09 '11 at 15:36

1 Answers1

3

LocationMatch definitely cannot do this. You may be able to get the desired behavior out of mod_rewrite using the QUERY_STRING parameter, but I would still classify that as "doing it wrong" - you don't want to run into a situation where you always allow queries through without auth when ?logout=true, but then you add a page later that's not looking for the logout param in the same way.

I'd recommend changing your application to use a fake directory structure instead of just query params, or else just having your application handle all of the authentication logic itself.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • I know it looks wrong, but all I need to do is hide the information that is generated when that specific parameter is set. fake directory structure sounds like the way to go – Saifis Aug 10 '11 at 04:35