httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject Re: authentication of included documents
Date Fri, 07 Apr 1995 01:14:48 GMT

This wasn't responded to, but needs to be, even though I think I've 
talked about this subject before.

At a general level, you're describing a compound object for which one needs
two "keys" to be able to view it.  Unfortunately HTTP 1.0 and 1.1 only allow
for one "key" to be mapped to a resource.  Thus, it's logical for us as 
HTTP server authors to state that this is something we can not fully do - 
I would suggest the correct response would be to provide the one page for 
which the user can authenticate themselves, and refuse to follow 
server-side includes that go into other realms (replace what would have 
been included with "401 not authorized" or something).  In fact, this is 
exactly what NCSA's httpd does.  However, as an administrative option, 
the server could be configured to allow multiple-realm accesses if the 
user names and passwords are the exact same for each - the onus is on the 
administrator to disallow similar names and passwords where the people 
are actually different, so making it an option for them to tweak is 

All this in my humble opinion of course.


On Tue, 4 Apr 1995, David Robinson wrote:
> Suppose I have a parsed html file, /john/secret.shtml that is protected
> by basic authentication in the realm (kingdom?) JohnsStuff.
> This file #includes's another document, /david/bb.html, which is also
> protected, in the realm TheBB.
> What should httpd do when a user accesses /john/secret.shtml with a correct
> username & password for the JohnsStuff realm? At present, it will look up
> the username and password in the TheBB realm, and if there is a match then
> the #include will succeed.
> This seems wrong to me. The client has only provided credentials for the
> JohnsStuff realm, so it shouldn't be able to access files in the TheBB realm.
> Of course, the actually probability of a security hole because two independent
> users have the same usernames and passwords is small.
> I think that httpd should disallow includes (and execs) of documents in
> different realms. What do folks think?
>  David.


View raw message