httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Doug MacEachern <do...@opengroup.org>
Subject authenticating once
Date Thu, 06 Feb 1997 22:54:48 GMT
The apache gears grind through the authentication handlers more than
once per-request, any number of times when trying to resolve a directory
request to index.html, index.htm, index.shtml, index.phtml, etc.  This
is fine with most mod_auth* modules, because they are just a weak test
'if real_pw equals sent_pw'.  However, with kerberos, httpd attempts
to authenticate using the same ticket sent by the client each time,
which kerberos treats as a replay attack.  James and those who use
mod_auth_kerb with ApacheSSL+Basic challenge do not see this, since
httpd will obtain a ticket for you during each main/sub request with
the username/password sent by the browser. Below is a patch against
James' mod_auth_kerb inside the kerb_authenticate_user() handler.
Any concerns with this method of authenticating once per HTTP request?

-Doug

*** mod_auth_kerb-3.0.c.orig    Thu Feb  6 17:43:18 1997
--- mod_auth_kerb-3.0.c Thu Feb  6 17:44:49 1997
***************
*** 814,820 ****
  
        return AUTH_REQUIRED;
     }
!  
     /*
      * Did they send us a Basic auth anyways?
      * If so, we have a client other than Kerberized NCSA Mosaic > 2.7
--- 814,827 ----
  
        return AUTH_REQUIRED;
     }
! 
!    if(r->main != NULL) /* this is a sub-request */
!        return OK;
!    else if(r->prev != NULL) /* this is an internal_redirect */
!        return OK;
!    /* this is the initial main request, we only get here *once* per HTTP request */
!    /* let's go on to authenticate... */
! 
     /*
      * Did they send us a Basic auth anyways?
      * If so, we have a client other than Kerberized NCSA Mosaic > 2.7

Mime
View raw message