httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoffrey Young <>
Subject Re: Apache and Application driven Basic Auth
Date Fri, 24 Dec 2004 16:09:34 GMT

> I'm trying to understand whether Apache even supports application driven
> Basic Authentication. 

it does, but our ideas of "application" are very different.  more on that

> It seems odd that this should be difficult to do -
> I've worked with a fair number of Web Servers over the yaers and this the
> first time I've run into a situation where the Web Server does not auto
> negotiate the protocol when enabled in a directory. But then most other
> Windows Web Servers use the built-in OS security to manage directory level
> authentication.

it does, just not where you want it to be.

> All the discussion I've seen so far seems to center around authenticating
> against resources in the file system, which works as expected. But Basic
> Auth as a protocol is not bound to the file system. So my question is how do
> I make Apache pass through all requests to my application *and* authenticate
> the applications Basic Auth negotiation when I ask for it with a 401 header?

for apache, authentication and content are distinctly separate.  you want to
place both in the content phase (your "application") but apache's default
authentication mechanism just doesn't work that way.

> Apache does all that but only against its files, not against application
> generated requests. With my Application generated requests it basically
> interjects itself but doesn't process or forward the browser's Auth
> information. So you get a situation where there's no hook. 

the hook is called the authen phase.

> This is a fairly common task in Web applications... I get the feeling Apache
> can't do this at least not without writing custom auth (which would be
> preferred anyway, 

I think you've got it :)

> but this is a generic tool and people want use Web Server
> integrated security from their own applications).

if you want to control security from within your own, content-only
application you can.  you just can't use apache's default file-based
user:password mechanism (mod_auth) - it's simply too late in the request for
that to happen.

> I do apologize for my ignorance on Apache - as stated this is not my primary
> tool and that's why I'm asking <g>.  I've spent a fair amount of time trying
> to google info on this subject but I've come up pretty much blank.
> I'm more than happy to dig if there are any pointers where to look. What
> I've found in the docs and via Google all deals with file based
> permissions...

you might understand apache a bit better by trying one of the books that
discuss the apache request cycle.  just because I know it's decent, you can
try this:

while it discusses the perl interface to the apache apu instead of the C
interface, the concepts are the same.



View raw message