httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Re: How to authorize everyone?
Date Wed, 24 Jul 1996 19:44:32 GMT
  As soon as a mod_php script returns a 401 and
  the client sends the authentication request, Apache couldn't care
  less whether or not there was any directive to turn on authentication
  for that particular URL and it will go ahead and try to authenticate
  the request even though the intent was to have mod_php do it.

Incorrect.  The current mod_auth* stuff does not do anything unless it
has been explicitly turned on in the server config files.  If it
hasn't been, any Authorization: headers supplied by the client
(perhaps in response to a prior 401) are simply ignored.

To repeat --- if util_script.c is hacked so that CGI scripts see
the contents of the "Authorization:" header, they can do custom auth.
People have tried this, and it works.  It wouldn't, if things worked
as you suggest above.


View raw message