httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (David Robinson)
Subject Re: authentication of included documents
Date Fri, 07 Apr 1995 11:17:00 GMT
Brian wrote:
>At a general level, you're describing a compound object for which one needs
>two "keys" to be able to view it.  Unfortunately HTTP 1.0 and 1.1 only allow
>for one "key" to be mapped to a resource.  Thus, it's logical for us as 
>HTTP server authors to state that this is something we can not fully do - 
>I would suggest the correct response would be to provide the one page for 
>which the user can authenticate themselves, and refuse to follow 
>server-side includes that go into other realms (replace what would have 
>been included with "401 not authorized" or something).  In fact, this is 
>exactly what NCSA's httpd does.  However, as an administrative option, 
>the server could be configured to allow multiple-realm accesses if the 
>user names and passwords are the exact same for each - the onus is on the 
>administrator to disallow similar names and passwords where the people 
>are actually different, so making it an option for them to tweak is 

Yes, I agree in general. So my plan is to first make a patch which closes this
'feature', and then we can think about how to selectively re-enable it.
This probably won't get into the 0.5 release, as I have a long list
of bugs in http_include.c to fix first.


P.S. A couple of days ago I uploaded O53-xbithack-tidy-1.txt; this tidies
up the UXBITHACK/XBITHACK defines. (I'm satisifed we don't need two separate

View raw message