Return-Path: <new-httpd-owner-new-httpd-archive=hyperreal.org@apache.org>
Delivered-To: new-httpd-archive@hyperreal.org
Received: (qmail 24865 invoked by uid 6000); 10 Nov 1997 16:23:42 -0000
Received: (qmail 24857 invoked from network); 10 Nov 1997 16:23:40 -0000
Received: from valis.worldgate.com (marcs@198.161.84.2)
  by taz.hyperreal.org with SMTP; 10 Nov 1997 16:23:40 -0000
Received: from localhost (marcs@localhost)
	by valis.worldgate.com (8.8.7/8.8.7) with SMTP id JAA05352
	for <new-httpd@apache.org>; Mon, 10 Nov 1997 09:23:37 -0700 (MST)
Date: Mon, 10 Nov 1997 09:23:37 -0700 (MST)
From: Marc Slemko <marcs@worldgate.com>
To: Apache - BYOC <new-httpd@apache.org>
Subject: How apache can pass the Authorization: header to a script ? (was: Re:
 Apache CGI Authentication) (fwd)
Message-ID: <Pine.BSF.3.95q.971110092305.3105D-100000@valis.worldgate.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

Should we be chopping out the Proxy-Authorization before it is passed to
CGIs as well?

---------- Forwarded message ----------
>Path: scanner.worldgate.com!news.maxwell.syr.edu!newsfeed.eerie.fr!oleane!jussieu.fr!univ-angers.fr!univ-rennes1.fr!enst-bretagne.fr!not-for-mail
>From: Aymeric Poulain Maubant <Aymeric.PoulainMaubant@enst-bretagne.fr>
>Newsgroups: comp.infosystems.www.servers.unix
>Subject: How apache can pass the Authorization: header to a script ? (was: Re: Apache CGI Authentication)
>Date: 10 Nov 1997 15:02:32 +0100
>Lines: 45
>Sender: maubant@bernoulli.enst-bretagne.fr
>Message-ID: <wksot4vocn.fsf_-_@bernoulli.enst-bretagne.fr>
>References: <878915312.27215@dejanews.com> <3466CB06.A54BF4B1@uab.ericsson.se>
>NNTP-Posting-Host: bernoulli.enst-bretagne.fr
>X-Newsreader: Gnus v5.4.66/Emacs 19.34
>Xref: scanner.worldgate.com comp.infosystems.www.servers.unix:35237     


Michael Salmon <Michael.Salmon@uab.ericsson.se> writes:
[...]
> A script shouldn't get the authorization line, the web server should
> take care of all authorization. [...]

Hmm, not quite true.

- from  RFC 2068 : "Proxies MUST be completely transparent regarding
	user agent authorization. That is, they MUST forward the 
	WWW-Authenticate and Authorization headers untouched [...]"

Thus, a proxy server MUST let the last server in the chain resolve
the authorization process.


I do have a question on this topic, btw. I'm currently using an Apache
1.2.4 somewhere, and wrote a cgi-script which need to challenge the
client by sending her a WWW-Authenticate header. I WANT not my apache
server to deal then with the "Authorization: ..." response. Instead, I
WANT my cgi-script get this header untouched and play with it (this
script need to know who is calling it, and then pass along the
Authorization data to a second web server in a transparent manner).

I tried a version where the script sends a Proxy-Authenticate (407) to
the client : the Proxy-Authorization response from the client is
passed to the script via the apache1.2.4 as an ENV variable
(HTTP_PROXY_AUTHORIZATION).  Great! Unfortunately, not all browsers
know what is a 407 answer.

I would like this behaviour to work with a 401 answer as well. That
is, I would like apache1.2.4 to pass the simple "Authorization: ..."
response to my script, via an ENV variable. I read somewhere it is
possible which apache (otherwise it won't be RFC 2068 compliant), but
how can I do it ?

Thanks for your answers,

	Aymeric