Question - authorization user per folder

AnthonyDeroche / mod_authnz_jwt

An authentication module for Apache httpd using JSON Web Tokens

Other

79 stars 46 forks source link

Question - authorization user per folder #43

Closed apishta closed 3 years ago

apishta commented 3 years ago

Hi,

Is it possible to implement authorization in the following way:

Every user has his own folder
User is allowed to access only his folder
We will need to add users and folders not changing the apache config file
The folder name with be same as the username

Thnx, Istvan

AnthonyDeroche commented 3 years ago

Hey,

Yes it is possible. Whatever the module you use for authentication (files, databases, ...), it does not require to restart Apache if you add users. All you have to do then is to get the folder (PATH_INFO) from the requested URL and compare it with the current authenticated user (REMOTE_USER).

apishta commented 3 years ago

Hi Anthony,

Thnx for your quick answer. I don't have access to REMOTE_USER, actually, it is empty, because I don't use jwt-login-handler. I am using the JWT created by the external application.
Would be possible to make the following: parse a folder name from PATH_INFO and compare it with the username from JWT Require jwt-claim user=folder_name ?

Thank you very much.

AnthonyDeroche commented 3 years ago

The REMOTE_USER is set whatever you use the jwt-login-handler or not. After the signature check, the REMOTE_USER is extracted from the token claims (using AuthJWTAttributeUsername).

AnthonyDeroche commented 3 years ago

Did you finally succeed ?

apishta commented 3 years ago

I did not have time to work on this yet. Probably I will do it in the next weeks. Thanks for asking.

germainm commented 3 years ago

The REMOTE_USER is set whatever you use the jwt-login-handler or not. After the signature check, the REMOTE_USER is extracted from the token claims (using AuthJWTAttributeUsername).

How can the client get REMOTE_USER ? I don't see that value returned. Only the json token is returned and some headers like Content-Type and Content-Length.

It probably has to do with apache Header module but I could not getting it to work .

AnthonyDeroche commented 3 years ago

The REMOTE_USER is usually not intended to the client but the to the backend application. The app may decode it and expose a service to get data. If you need so, you can probably set a header in the response with the REMOTE_USER.

The following code allow you to add the header in the request. For the response, you could try the same way with the "Header" directive.

RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set X-Remote-User "%{RU}e" env=RU

AnthonyDeroche commented 3 years ago

Did everyone succeed to get the REMOTE_USER ?

apishta commented 3 years ago

I have decided to extend WebdavServlet on tomcat. That solution was a more suitable solution for my project.