httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Fake Basic Authentication
Date Wed, 08 Sep 2010 23:00:43 GMT
Someone asked on IRC today about seemlessly mixing SSL Client
authentication (FakeBasicAuth) with normal basic authn.
As I understood it, users without a client cert should authenticate, 
but those with one would be spared the authn dialogue.

A quick look at mod_ssl reveals that FakeBasicAuth sets r->user
in an Access hook, so it's set before authn.  So what the user
asks is trivial: all it needs is an authn provider that accepts
any request in which r->user is set.  I've just hacked up the
smallest-ever(?) module (attached) to do that.

This could also give users flexibility to mix-and-match basic
auth with other schemes in mod_rewrite style.  Or no doubt
shoot themselves in the foot.


Nick Kew
View raw message