httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: Null username/password in auth rules
Date Mon, 24 Sep 2001 21:32:53 GMT
From: "Rodent of Unusual Size" <Ken.Coar@Golux.Com>
Sent: Monday, September 24, 2001 4:12 PM

> Someone has brought up the point that an AuthUserFile database
> containing a line with only ':' on it will allow access if the
> supplied username and password are blank and 'Require valid-user'
> is the access control.
> RFC 2617 permits such null credential elements; the questions
> that have been raised for us are:
> 1. Should *we* allow it?
> 2. If we allow it, should it match 'valid-user', or only
>    "Require user ""'?  (Not sure if the latter will work
>    currently.)
> My personal HO is 1) yes, we should allow it, and 2) yes,
> it should be matched by 'valid-user' -- because, by virtue
> of its being in the AuthUserFile database, it IS a valid
> user by definition.
> OtherBill differs, and I yield the [virtual] floor to him. :-D

And my take is that, even if the <blankuser>:<blankpw> entry exists,
the admin may _or_ may not want that user to pass.

So my take is to recognize the blank/blank user and password, but
not consider it in the Require valid-user domain.  If they asked for
a valid-user, they probably didn't expect just anybody to enter.

Given my thoughts, if Require user "" isn't supported today, it should be.
(For that matter, it should be allowed under RoUS's take, as well.)


View raw message