Limit access to an URL with query parameters

Question

I need that an URL is accessible only for some defined users. In the URL there is a query parameter and that is the discriminator.

The URL could be something like this:

https://my.my.com/my-app/view/myView.xhtml?myQueryParam=allUsers

My experience in such apache configurations is ~ 0 and googling a little I could set up this:

RewriteEngine on
RewriteCond %{QUERY_STRING} myQueryParam=allUsers
RewriteRule "/my-app/view/myView[.]xhtml.*" - [E=no_auth_required:1]

<LocationMatch "/my-app/view/myView[.]xhtml.*">

               Require uniqueID user1ID user2ID

</LocationMatch>

Between xhtml and ? could come additional strings too, therefor the .*.

This works but the problem is that it also denies the access for ex. to the link

https://my.my.com/my-app/view/myView.xhtml?myQueryParam=somethingElse

It seems that it doesn't bother the value of the query parameter...

What do I miss?

EDIT: I forgot to say that I use Apache 2.2.

Did you have a look at http://stackoverflow.com/questions/14648078/apache-permissions-based-on-querystring#? — Phillip, Sep 08 '16 at 14:32
Rewrite has always been a mystery to me. Does `.*` take you all the way up to `myQueryParam=allUsers` ? — , Sep 08 '16 at 20:23
weird, did you intend to do something with no_auth_required? — covener, Sep 09 '16 at 00:19
@revo for all other possible values of `myQueryParam` there are no restrictions. — Francesco, Sep 09 '16 at 10:44
@Phillip it is exactly the sample I used for my solution, but as I wrote it deny the access where `myQueryParameter != allUsers... — Francesco, Sep 09 '16 at 10:58
@covener as said I have 0 (zero) knowledge of such things. I based my on what I found in other thrads... :) — Francesco, Sep 09 '16 at 10:59
IMHO it's a bad idea to do this in the Apache config. (All the more as you say you have near zero experience in Apache setup.) Better let the application define the authorization. Is the user authentication handled in Apache or in your application? — gsl, Sep 15 '16 at 12:57
@gsl You are right. This would only be a fast and temporary solution until it is solved in the application. — Francesco, Sep 19 '16 at 06:38

score 3 · Answer 1 · answered Sep 09 '16 at 12:27

3

^{Provided solution is for Apache v2.4}

Check env variable value by an If directive within a Location* directive:

RewriteCond %{QUERY_STRING} myQueryParam=allUsers
RewriteRule . - [E=no_auth_required:1]

<Location "/my-app/view/myView.xhtml">
    <If "reqenv('no_auth_required') == 1">
        Require uniqueID user1ID user2ID
    </If>
</Location>

answered Sep 09 '16 at 12:27

revo

47,783
14
74
117

As said, unfortunately I use Apache 2.2. Thank you anyway. – Francesco Sep 13 '16 at 07:10

Bamieh · Answer 2 · 2016-09-13T08:32:19.753

0

try this, basically telling apache match anything after xhtml that is not a question mark.

RewriteEngine on
RewriteCond %{QUERY_STRING} myQueryParam=allUsers
RewriteRule "/my-app/view/myView[.]xhtml[^?]*" - [E=no_auth_required:1]

<LocationMatch "/my-app/view/myView[.]xhtml[^?]*">

               Require uniqueID user1ID user2ID

</LocationMatch>

edited Sep 13 '16 at 08:32

answered Sep 13 '16 at 08:26

Bamieh

10,358
4
31
52

Thank you for the answer, but it still denies the access also when `myQueryParam=something else`. – Francesco Sep 13 '16 at 08:57

Limit access to an URL with query parameters

2 Answers2