httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject How apache can pass the Authorization: header to a script ? (was: Re: Apache CGI Authentication) (fwd)
Date Mon, 10 Nov 1997 16:23:37 GMT
Should we be chopping out the Proxy-Authorization before it is passed to
CGIs as well?

---------- Forwarded message ----------
>From: Aymeric Poulain Maubant <>
>Newsgroups: comp.infosystems.www.servers.unix
>Subject: How apache can pass the Authorization: header to a script ? (was: Re: Apache
CGI Authentication)
>Date: 10 Nov 1997 15:02:32 +0100
>Lines: 45
>Message-ID: <>
>References: <> <>
>X-Newsreader: Gnus v5.4.66/Emacs 19.34
>Xref: comp.infosystems.www.servers.unix:35237     

Michael Salmon <> writes:
> A script shouldn't get the authorization line, the web server should
> take care of all authorization. [...]

Hmm, not quite true.

- from  RFC 2068 : "Proxies MUST be completely transparent regarding
	user agent authorization. That is, they MUST forward the 
	WWW-Authenticate and Authorization headers untouched [...]"

Thus, a proxy server MUST let the last server in the chain resolve
the authorization process.

I do have a question on this topic, btw. I'm currently using an Apache
1.2.4 somewhere, and wrote a cgi-script which need to challenge the
client by sending her a WWW-Authenticate header. I WANT not my apache
server to deal then with the "Authorization: ..." response. Instead, I
WANT my cgi-script get this header untouched and play with it (this
script need to know who is calling it, and then pass along the
Authorization data to a second web server in a transparent manner).

I tried a version where the script sends a Proxy-Authenticate (407) to
the client : the Proxy-Authorization response from the client is
passed to the script via the apache1.2.4 as an ENV variable
(HTTP_PROXY_AUTHORIZATION).  Great! Unfortunately, not all browsers
know what is a 407 answer.

I would like this behaviour to work with a 401 answer as well. That
is, I would like apache1.2.4 to pass the simple "Authorization: ..."
response to my script, via an ENV variable. I read somewhere it is
possible which apache (otherwise it won't be RFC 2068 compliant), but
how can I do it ?

Thanks for your answers,


View raw message