httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41685] New: - Implement optional HTTP Authentication in a standards-compliant fashion
Date Fri, 23 Feb 2007 01:33:42 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41685>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41685

           Summary: Implement optional HTTP Authentication in a standards-
                    compliant fashion
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: wayland@smartchat.net.au


It would be possible to implement optional HTTP Authentication (something that
people seem to want often enough; see links below) without violating any RFCs.  

Optional Auth Process
---------------------
The idea is that (if the feature were turned on) the process would work as follows:
1. A request comes in from a web browser for a page marked with optional
authentication
2. Seeing no authentication, Apache passes this on to the CGI/mod_perl that will
process it
3. The CGI/mod_perl sends back a response with a 401/WWW-Authenticate
4. Apache, seeing authentication in the response this time, processes the
authentication.  Either way, it passes control back to the CGI/mod_perl, but if
the authentication failed, it will not populate the variables containing the
username and the like.  It is up to the CGI/mod_perl how to respond to this.

Changes required
----------------
The change required in Apache to achieve this is fairly simple: if optional auth
is specified (eg. in a .htaccess), pass control to the CGI/mod_perl even if the
auth fails; don't respond with a 401 or a WWW-Authenticate.

Suggested config syntax:
AuthOptional On

Presumably, this should also be part of AllowOverride AuthConfig

Additional Information
----------------------
I'm not 100% sure this belongs in the core, but I was unsure where it did belong

For reference, the complaints that people have about using HTTP Auth are
summarised in the following articles:
http://www.artima.com/weblogs/viewpost.jsp?thread=155252
http://fishbowl.pastiche.org/2003/12/30/saving_http_authentication

Some of their solutions involve changing RFCs.  Mine only involves adding a
configuration option which doesn't violate RFCs

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message