Limiting Access Based on HTTP Methods


In general, you want your access control directives to apply to all types of client requests, and this is the default behavior. In some cases, however, you want to apply authentication and access rules to only certain HTTP methods such as GET and HEAD.

The <Limit> container takes a list of methods and contains the directives that apply to requests containing those methods. The complete list of methods that can be used is GET, POST, PUT, DELETE, CONNECT, OPTIONS, trACE, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK.

The <LimitExcept> section provides complementary functionality, containing directives that will apply to requests not containing the listed methods.

Listing 25.5 shows an example from the default Apache configuration file. The <Limit> and <LimitExcept> sections allow read-only methods but deny requests to any other methods that can modify the content of the file system, such as PUT. For more information on the myriad options available here, see the Apache documentation at http://httpd.apache.org/docs-2.0/mod/core.html.

Listing 25.5. Restricting Access Based on Rule

 1: <Directory /home/*/public_html>  2:  AllowOverride FileInfo AuthConfig Limit  3:  Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec  4:  <Limit GET POST OPTIONS PROPFIND>  5:   Order Allow,Deny  6:   Allow from all  7:  </Limit>  8:  <LimitExcept GET POST OPTIONS PROPFIND>  9:   Order Deny,Allow 10:   Deny from all 11:  </LimitExcept> 12: </Directory>

In the next section, you'll learn about restricting access on the application side based on information found in cookies.




Sams Teach Yourself PHP, MySQL And Apache All in One
Sams Teach Yourself PHP, MySQL and Apache All in One (3rd Edition)
ISBN: 0672328739
EAN: 2147483647
Year: 2004
Pages: 327

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net