Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 67922 invoked by uid 500); 24 Sep 2001 21:14:22 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 67911 invoked from network); 24 Sep 2001 21:14:22 -0000 Message-ID: <3BAFA1CA.30B53BD0@Golux.Com> Date: Mon, 24 Sep 2001 17:12:42 -0400 From: Rodent of Unusual Size Organization: The Apache Software Foundation X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Apache Developers Subject: Null username/password in auth rules Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Someone has brought up the point that an AuthUserFile database containing a line with only ':' on it will allow access if the supplied username and password are blank and 'Require valid-user' is the access control. RFC 2617 permits such null credential elements; the questions that have been raised for us are: 1. Should *we* allow it? 2. If we allow it, should it match 'valid-user', or only "Require user ""'? (Not sure if the latter will work currently.) My personal HO is 1) yes, we should allow it, and 2) yes, it should be matched by 'valid-user' -- because, by virtue of its being in the AuthUserFile database, it IS a valid user by definition. OtherBill differs, and I yield the [virtual] floor to him. :-D -- #ken P-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ "All right everyone! Step away from the glowing hamburger!"