httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Re: Authorization
Date Tue, 15 Aug 1995 20:23:08 GMT
   From: Rob Hartill <>
   Date: Tue, 15 Aug 95 11:15:50 MDT

   I just wrote myself a mod_auth_func.c  which lets me define
   a function to check authorizatiob based on a password computed
   from the URL.

   It works ok (so far) but I had to change,

   int check_auth (request_rec *r) {
      return run_method (r, XtOffsetOf (module, auth_checker), 0);


      return run_method (r, XtOffsetOf (module, auth_checker), 1);

   is that safe ?

[Hoping he isn't *too* confused...]

It *shouldn't* be needed, at least not if everything is working as
intended... if it is, then the most likely cause is some module
(perhaps yours) failing to return DECLINED when it ought to --- in
particular, when there is no specific directive saying that it
applies.  (The cleanest way to do this might be to have a AuthFunc
.htaccess directive --- if you can put all the documents you're trying
to protect this way in some specific directory hierarchy, then you'd
only need to put this in the <Directory> or .htaccess for the root
directory there, and not once for each subdirectory, which avoids
replication --- which seems to be what you're trying to do).

(I guess that's what I get for not fully specifying the special
considerations for auth handlers in the API docs).

WRT the other issue you raised --- no, right now, there's no way to
force the basic auth machinery in http_protocol.c to use a realm
different from the standard one.  You've got a legitimate reason to do
it, though... for the moment, you could put modified versions of the
stuff in http_protocol.c (get_basic_auth_pw & note_basic_auth_failure)
into your own module (all they do is diddle headers_in and
error_headers_out, which modules are permitted to do).


View raw message