views:

158

answers:

2

How do you make the authentication for a browser-based application dependent on the client machine? Say the admin can login only from this machine.

Assumptions: There is complete control over the network and all machines (client and server) involved.

I am looking for an apache/linux solution.

+2  A: 

You need to come up with some way of identifying this machine. What iis important in your application? Physical location? IP address?

If you have complete control over the machines I would use SSL with client certficates, and put the client certificate only on the machine that must be used. See here for details on how to configure this with Apache

As that article says, you can set Apache to require the certificate, a user name and password AND limit connectivity to specifc IP addresses.

EDIT: You don't need a separate web server to use client certificates.

You might need a separate URL depending on how your application works.

Note the example configures certificates only for a certain Directory

 <Directory "/www/hidden/docs">

. So have certain classes of user login differently, or redirect them after login to the client-certificate-protected part of your website

Paul
Thanks for the link. I haven't read through fully, but from the introduction, it seems like the guide is an all or nothing setup. My requirement is to allow a particular class of user to login from a particular location.
Shoan
"...only certain self-signed user certificates to connect to the webserver. Any other browser connects will be discarded." Do I need to have a separate webserver for each user type for the same application?
Shoan
Added a bit more detail to my answer
Paul
Thanks Paul. Wouldn't another drawback be that it would require the same number of ip addresses as user types?
Shoan
Not if you use different directories?
Paul
A: 

If you are worried about malicious attempts to spoof the client workstation on the network, you could look into setting up IPSEC on the client and server, then you can simply use the IP address and treat it as trusted - i.e. use standard Apache techniques to control access by IP.

Or if you consider your network trusted, just give the client a static IP and use standard apache techniques to limit access by IP.

Both require some admin work on the network level but the bonus is you shouldn't need to change your application.

frankodwyer