<Query> element is used to apply content rules to requests containing specific query string parameters.
Query string matching can be difficult, because the client totally dictates the information, and case matters. It should be used only when the case of the parameter name is significant to the application consuming it, because then the client can bypass your rule, but not actually get the application to run.
Up to version 2.4 POST data is lost in an HTTP POST requests with query strings due to a bug in the CGI parser. HTTP GET requests with a query string only or HTTP POST request without query strings should however work fine.
Find below a real-lfile example for a
<Query> element that is used to protect specific pages in a Dokuwiki instance. This example enforces a Shibboleth session on https://www.example.org/doku.php and only users with the given affiliation will be able to access URLs like https://www.example.org/doku.php?id=internal or https://www.example.org/doku.php?id=internal:subdirectory. Please note that the
AccessControl rule only is enforced for a URL that starts with /doku.php
<RequestMap applicationId="default"> <Host name="www.example.org"> <Path name="doku.php" authType="shibboleth" requireSession="true"/> <Query name="id" regex="^internal.*"> <AccessControl> <Rule require="affiliation">firstname.lastname@example.org email@example.com</Rule> </AccessControl> </Query> </Path> </Host> </RequestMap>
XML attributes corresponding to request mapper properties are used.
Unlike paths, query strings aren't nested, but nesting the element allows for a conjunction between the parent element and the child. Sibling elements, meanwhile, form a disjunction.
For more details on how the request mapping process works, see the request mapper HOWTO.