httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: Fake Basic Authentication
Date Thu, 09 Sep 2010 15:58:06 GMT
On Thu, 09 Sep 2010 16:51:00 +0200
Guenter Knauf <fuankg@apache.org> wrote:

> Am 09.09.2010 01:00, schrieb Nick Kew:
> > Someone asked on IRC today about seemlessly mixing SSL Client
> > authentication (FakeBasicAuth) with normal basic authn.
> > As I understood it, users without a client cert should authenticate,
> > but those with one would be spared the authn dialogue.
> >
> > A quick look at mod_ssl reveals that FakeBasicAuth sets r->user
> > in an Access hook, so it's set before authn.  So what the user
> > asks is trivial: all it needs is an authn provider that accepts
> > any request in which r->user is set.  I've just hacked up the
> > smallest-ever(?) module (attached) to do that.
> >
> > This could also give users flexibility to mix-and-match basic
> > auth with other schemes in mod_rewrite style.  Or no doubt
> > shoot themselves in the foot.
> >
> > Thoughts?
> isnt this already something similar?
> http://sourceforge.net/projects/modauthcertific/

Looking at that, I see it implements its own protocol and hooks,
including changing r->ap_auth_type on-the-fly.  I could be wrong,
but it doesn't look like something that'll integrate well with
mod_auth_basic and authn providers.

-- 
Nick Kew

Mime
View raw message