Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 36711 invoked from network); 9 Sep 2010 08:13:18 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 9 Sep 2010 08:13:18 -0000 Received: (qmail 22404 invoked by uid 500); 9 Sep 2010 08:13:17 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 22017 invoked by uid 500); 9 Sep 2010 08:13:15 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 22009 invoked by uid 99); 9 Sep 2010 08:13:14 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Sep 2010 08:13:14 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [195.232.224.75] (HELO mailout06.vodafone.com) (195.232.224.75) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Sep 2010 08:13:04 +0000 Received: from mailint06 (localhost [127.0.0.1]) by mailout06 (Postfix) with ESMTP id 2BCD28475B for ; Thu, 9 Sep 2010 10:12:43 +0200 (CEST) Received: from avoexs01.internal.vodafone.com (unknown [145.230.4.134]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mailint06 (Postfix) with ESMTPS id 1EDDD84757 for ; Thu, 9 Sep 2010 10:12:43 +0200 (CEST) Received: from VF-MBX11.internal.vodafone.com ([145.230.5.21]) by avoexs01.internal.vodafone.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 9 Sep 2010 10:12:38 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: Fake Basic Authentication Date: Thu, 9 Sep 2010 10:12:35 +0200 Message-ID: <99EA83DCDE961346AFA9B5EC33FEC08B04A3C2F0@VF-MBX11.internal.vodafone.com> In-Reply-To: <20100909000043.7f9f42ec@baldur> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Fake Basic Authentication Thread-Index: ActPqcTFMH2FFYO5Sra23I7C1Xo7fwASrbZQ References: <20100909000043.7f9f42ec@baldur> From: =?iso-8859-1?Q?=22Pl=FCm=2C_R=FCdiger=2C_VF-Group=22?= To: X-OriginalArrivalTime: 09 Sep 2010 08:12:38.0588 (UTC) FILETIME=[C467D7C0:01CB4FF6] X-Virus-Checked: Checked by ClamAV on apache.org =20 > -----Original Message----- > From: Nick Kew=20 > Sent: Donnerstag, 9. September 2010 01:01 > To: dev@httpd.apache.org > Subject: Fake Basic Authentication >=20 > Someone asked on IRC today about seemlessly mixing SSL Client > authentication (FakeBasicAuth) with normal basic authn. > As I understood it, users without a client cert should authenticate,=20 > but those with one would be spared the authn dialogue. You confuse me. Doesn't this already work with Basic Auth if the user that presents the certificate is registered in the Authn provider with the password 'password'? Of course this also means that if someone knows the username in the certificate of one of the users he can log in WITHOUT certificate using the username and 'password' (provided that client certs are not mandatory of course). Maybe it would be helpful to post an example configuration snippet to be sure that we are really talking about the same thing. >=20 > A quick look at mod_ssl reveals that FakeBasicAuth sets r->user > in an Access hook, so it's set before authn. So what the user In the case that FakeBasicAuth is turned on r->user is not set by mod_ssl. In this case it only adds a fake Basic auth header to r->headers_in in ssl_hook_UserCheck (which is the same hook that mod_auth_basic runs in but earlier) and leaves the job of setting r->user to mod_auth_basic. Regards R=FCdiger