httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Bannister <>
Subject Re: SSLUserName -> mod_auth_user
Date Mon, 21 Apr 2014 12:46:06 GMT
On 21 Apr 2014, at 12:38, Graham Leggett <> wrote:

> Hi all,
> Right now, we have the SSLUserName directive, which takes an arbitrary SSL variable and
turns it into a username for the benefit of the request. This has the downside that only SSL
variables (and some CGI variables) are usable as usernames, and it combines with FakeBasicAuth
to create undesirable side effects.
> What would be cleaner is if we deprecate SSLUserName and create a mod_auth_user.c module
that declares AuthType User, and then offers a AuthUser directive that sets the user based
on an arbitrary expression from ap_expr.h. This will make client certificates easier to work
with, and provide options for authentication that aren't based purely on logins, such as tokens
in URLs, etc.

What string should httpd return to mean “no user found”? Users are going to want this.
I suggest "" (empty string).

PS. I'd be tempted to call it AuthType Expr.

Tim Bannister -

View raw message