Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
documentation:2.1:writingrulesand_headers [2019/01/15 15:55]
127.0.0.1 external edit
documentation:2.1:writingrulesand_headers [2019/11/06 10:19] (current)
cmaudoux [Writing rules and headers]
Line 18: Line 18:
  
 See also [[extendedfunctions|extended functions]]. See also [[extendedfunctions|extended functions]].
- 
 ===== Rules ===== ===== Rules =====
  
Line 55: Line 54:
 <note important>​Only current application is concerned by logout_app* targets. Be careful with some applications which doesn'​t verify Lemonldap::​NG headers after having created their own cookies. If so, you can redirect users to a HTML page that explain that it is safe to close browser after disconnect.</​note>​ <note important>​Only current application is concerned by logout_app* targets. Be careful with some applications which doesn'​t verify Lemonldap::​NG headers after having created their own cookies. If so, you can redirect users to a HTML page that explain that it is safe to close browser after disconnect.</​note>​
  
-==== Rules on authentication level ====+==== Rules based on authentication level ====
  
-LLNG set an "​authentication level" during authentication process. This level is the value of the authentication backend used for this user. Default values are:+LLNG set an "​authentication level" during authentication process. This level depends on authentication backend used by this user. Default values are:
   * 0 for [[authnull|Null]]   * 0 for [[authnull|Null]]
   * 1 for [[authcas|CAS]],​ [[authopenid|old OpenID-2]], [[authfacebook|Facebook]],​…   * 1 for [[authcas|CAS]],​ [[authopenid|old OpenID-2]], [[authfacebook|Facebook]],​…
Line 65: Line 64:
   * 5 for [[authssl|SSL]]   * 5 for [[authssl|SSL]]
  
-There are two way to impose users to have high authentication level: +There are three ways to impose users a higher ​authentication level: 
-  * writing a rule based en authentication level: ''​$authenticationLevel > 3''​ +  * writing a rule based on authentication level: ''​$authenticationLevel > 3''​ 
-  * since 2.0, set a minimum level in virtual host options+  * set a minimum level in virtual host options ​(default value for ALL access rules) 
 +  * a minimum authentication level can be set for each URI access rule. Useful if URI are protected by different types of handler (AuthBasic -> level 2, Main -> level set by authentication backend). 
 + 
 +<note tip>​Instead of returning a 403 code, "​minimum level" returns user to a form that explain that a higher level is required and propose to reauthenticate himself.</​note>​ 
 + 
 +==== Using regexp capture in rules ==== 
 + 
 +If URL regexp captures something //(using parenthesis)//,​ you can use them in the corresponding rule using ''​$_rulematch[1]''​. Example: only user can access to its personal area: 
 +  * Regexp: ''/​^public_html/​(\w+)(/​.*)?​$''​ 
 +  * Rule: ''​$uid eq $_rulematch[1]''​
  
-<note tip>​Instead of returning a 403 code, "​minimum level" returns user to a form that explain that a higher level is required and propose to user to reauthenticate itself.</​note>​+$_rulematch is an array that contains all captured strings. First index is 1.
  
 +<note warning>​This feature requires Perl ≥ 5.25.7</​note>​
 ===== Headers ===== ===== Headers =====