httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <>
Subject Re: Thoughts on Auth
Date Thu, 29 Aug 1996 22:02:57 GMT
On Thu, 29 Aug 1996, Ben Laurie wrote:

> Prompted by the Basic/Digest auth debate, and the realisation that Digest auth
> doesn't support groups, I wonder if there is a case for an API split between

Actually, it does. Use AuthGroupFile. It works. Just like it does with DBM

> the "relating users to permissions" part of auth and the "verifying the user's
> identity" part.

No, there isn't, unfortunately. Way back when wrote mod_digest, I tried. I
really did. The problem is that we store passwords crypted. Which doesn't
work for digest auth. And doesn't work for any of the other
challenge/response auth mechanisms out there. So I decided it wasn't worth
reworking the API for something that wouldn't be useful anyhow.

If NCSA had, three years ago, decided to store passwords in the clear in
htpasswd files, I would have done something like what you suggest when I
wrote mod_digest. But they didn't, so I didn't :)

> Perhaps something to consider for 2.0? Or 1.2 (given our current inability to
> support both at once, and HTTP/1.1 possibly requiring Digest if Basic is
> supported...)?

-- Alexei Kosut <>            The Apache HTTP Server

View raw message