tags:

views:

158

answers:

2
+1  Q: 

Authentication for a browser-based application dependent on the client machine

How do you make the authentication for a browser-based application dependent on the client machine? Say the admin can login only from this machine.

Assumptions: There is complete control over the network and all machines (client and server) involved.

I am looking for an apache/linux solution.

+2  A: 

You need to come up with some way of identifying this machine. What iis important in your application? Physical location? IP address?

If you have complete control over the machines I would use SSL with client certficates, and put the client certificate only on the machine that must be used. See here for details on how to configure this with Apache

As that article says, you can set Apache to require the certificate, a user name and password AND limit connectivity to specifc IP addresses.

EDIT: You don't need a separate web server to use client certificates.

You might need a separate URL depending on how your application works.

Note the example configures certificates only for a certain Directory

 <Directory "/www/hidden/docs">

. So have certain classes of user login differently, or redirect them after login to the client-certificate-protected part of your website

Paul  2008-12-13 11:02:57
Thanks for the link. I haven't read through fully, but from the introduction, it seems like the guide is an all or nothing setup. My requirement is to allow a particular class of user to login from a particular location.
Shoan  2008-12-13 11:13:48
"...only certain self-signed user certificates to connect to the webserver. Any other browser connects will be discarded." Do I need to have a separate webserver for each user type for the same application?
Shoan  2008-12-13 11:15:12
Added a bit more detail to my answer
Paul  2008-12-13 11:52:23
Thanks Paul. Wouldn't another drawback be that it would require the same number of ip addresses as user types?
Shoan  2008-12-13 12:02:47
Not if you use different directories?
Paul  2008-12-13 12:26:31
A: 

If you are worried about malicious attempts to spoof the client workstation on the network, you could look into setting up IPSEC on the client and server, then you can simply use the IP address and treat it as trusted - i.e. use standard Apache techniques to control access by IP.

Or if you consider your network trusted, just give the client a static IP and use standard apache techniques to limit access by IP.

Both require some admin work on the network level but the bonus is you shouldn't need to change your application.

frankodwyer  2008-12-14 01:55:37

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?