httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 41685] Implement optional HTTP Authentication in a standards-compliant fashion
Date Wed, 09 Mar 2011 22:41:20 GMT

--- Comment #4 from 2011-03-09 17:41:18 EST
(In reply to comment #3)
> Slightly confused.  What standard are you referencing here?

I think rfc2617 is most relevant, although this really isn't a standards issue,
it's an issue with the way apache configures and handles authentication. 
Currently, apache will only process an Authorization: header if there is a
require directive on the request.  My change above changes it so apache will
always process an Authorization header.  This allows a module or CGI program
(or .asis file) to send a WWW-Authenticate challenge back to a client, but then
have Apache handle the resulting Authorization header.  Without this, the
module/CGI program would have to re-implement the authentication code that is
already in apache.  For HTTP basic, this is a trivial effort, but Digest or
Negotiate are both hard enough that it is attractive to use the existing code
in Apache rather than re-implementing it.  I have a program that sends a
WWW-Authenticate header, and then I use this config:

    <Location /semiprivate>
        AuthType Kerberos
        #require valid-user
        Krb5Keytab /path/to/keytab
        KrbMethodK5Passwd off
        KrbAuthoritative off

which, with the above patch, allows anonymous access until the program sends a
WWW-Authenticate header, at which point browsers will send an Authorization
header, and then Apache will authenticate them.  Prior to the time the program
sends the WWW-Authenticate header, the user can access resources in
/semiprivate anonymously.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message