httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Life is hard, and then you die" <ron...@innovation.ch>
Subject Re: cvs commit: apache-1.3 STATUS
Date Mon, 08 May 2000 02:24:21 GMT
On Sat, Apr 15, 2000 at 11:20:18AM -0400, Rodent of Unusual Size wrote:
> rbb@covalent.net wrote:
> > 
> > Now personally, I don't see a need for this patch, because this
> > functionalitly can be acheived with the current code.
> 
> Really?  What the patch supposedly does is tell mod_auth_digest
> to include two WWW-Authenticate fields in the 401 response, one
> for the Digest mechanism and one for Basic.  My impression is
> that right now 1.3 will only emit one or the other, but not
> both.  His point is that providing both lets the client choose
> which one to use.

Correct. Note that the AuthAuthoritative only allows the processing of
Basic auth to be handled by others too - the core makes the assumption
that only one auth type may be active for a given resource.

> I don't like the implementation, since it's overloading mod_auth_digest
> with something that isn't its job, but I like the idea of sending
> both fields when both auth-methods are available for a resource.

I agree with Ken. We need some way to be able to handle multiple auth
schemes for the same resource (currently this may be Basic, Digest, and
NTLM). There are two problems: 1) auth modules must not assume they're
the only ones generating the WWW-Authenticate header or parsing the
Authorization header - this is easy to solve, though it requires some
help from the core (it needs to keep iterating over the modules even
after one returnes AUTH_REQUIRED). 2) The core needs to handle the fact
that there may be more than one auth type appropriate for a given
resource. This is probably more involved than just making the
ap_auth_type and ap_auth_name fields take more than one value - the
question of scoping arises. E.g. if I have

<Directory /foo>
AuthType Basic
...
</Directory>

<Directory /foo/bar>
AuthType Digest
...
</Directory>

should the resulting auth-type for /for/bar/ be just Digest or both? I
don't know what the best solution is here.


  Cheers,

  Ronald


Mime
View raw message