httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 30092] New: - ap_get_basic_auth_pw: Don't check for *static* AuthType "Basic"
Date Wed, 14 Jul 2004 06:38:06 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=30092>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=30092

ap_get_basic_auth_pw: Don't check for *static* AuthType "Basic"

           Summary: ap_get_basic_auth_pw: Don't check for *static* AuthType
                    "Basic"
           Product: Apache httpd-1.3
           Version: 1.3.31
          Platform: Sun
        OS/Version: Solaris
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: dietmar.berg@alcatel.at


We want to allow fallback from a more involved authtype such as the Negotiation 
protocol (SPNEGO) to plain basic auth with the standard mod_auth or others by 
setting an appropriate WWW-Authenticate header and declining.

ap_get_basic_auth_pw() won't descramble the password from the Authorization 
header unless the request has a *static* AuthType declaration of "Basic" (which 
contradicts with the AuthType required for the more involved protocol). By 
omitting this check, authentication modules designed for basic auth can still 
retrieve the user-supplied password when they are being called in a chain. 
ap_get_basic_auth_pw() will still check for a *dynamic* AuthType of "Basic", 
son we can be sure not to return an inappropriate value.

Without this change, modules designed for basic authentication would need to re-
implement the password extraction & descrambling (which some of them actually 
do).

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message