httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: How to authorize everyone?
Date Wed, 24 Jul 1996 17:27:49 GMT
  No, more because I want a mechanism to optionally bypass the authentication
  in Apache and let another module do the actual authentication without
  having to make this other module a real authentication module.

Ummm... I'm not sure I understand the problem.  The easiest way to
"bypass" the Apache native auth facilities is to just leave them
turned off.  That is, don't do anything at all to the config files,
and have mod_php return 401 if auth is absent, and otherwise just
do its thing.

For example, CGI scripts can do their own custom auth in this fashion,
*if* util_script.c is hacked to pass on the Authorization: header to
the script as HTTP_AUTHORIZATION.  (There is actually an explicit check
in there now to *prevent* CGI from doing custom auth --- the notion being
that at installations which have to tolerate scripts installed by untrusted 
users, you don't want them being able to fake auth.  PHP, however, when
functioning as a module, has access to the Authorization: header just like
everything else in the server does, and can do what it likes).

rst




Mime
View raw message