httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Houser, Rick" <Houser.R...@aoins.com>
Subject RE: Setting a handler within a configuration directive
Date Mon, 24 Nov 2008 15:52:42 GMT
Don't things like SSL client auth (pre-HTTP connection) internally show
as basic auth?  Isn't it just as trivial to make a module that does
nothing more than set the auth-type string to basic?  A simple contract
(real contract, not EULA garbage), should give you far more protection
than any of this.



Thanks,

Rick Houser
Auto-Owners Insurance
Systems Support
(517)703-2580

-----Original Message-----
From: scarleton@gmail.com [mailto:scarleton@gmail.com] On Behalf Of Sam
Carleton
Sent: Monday, November 24, 2008 9:43 AM
To: modules-dev@httpd.apache.org
Subject: Re: Setting a handler within a configuration directive

Rick,

You are absolutely right on all accounts.  The only problem is that I am
a one man shop and I simply don't have the resources to have multiple
distributable.  I prefer taking the risk of folks hacking my software
then have multiple distributable.

What is that saying, a lock only keeps the honest man honest.  Those
that are going to steal my code are going to steal it no matter what I
do, well I could go to extremes to protect my code, it just isn't that
widely used to be worth the effort.

I did find what appears to be a good workaround last night after posting
the question:  My handler checks to see if the authentication is set to
basic, if not, my handler is declined, thus, in theory stopping my
handler from running if the user removes the AuthType from the location
where the hander is set.  I would still prefer to hide the setting, but
if there is a even better way, I am all ears!

Sam



Mime
View raw message