Return-Path: 
 <test-dev-return-1161-apmail-httpd-test-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-test-dev-archive@httpd.apache.org
Received: (qmail 25418 invoked by uid 500); 4 Sep 2002 17:43:48 -0000
Mailing-List: contact test-dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: test-dev@httpd.apache.org
list-help: <mailto:test-dev-help@httpd.apache.org>
list-unsubscribe: <mailto:test-dev-unsubscribe@httpd.apache.org>
list-post: <mailto:test-dev@httpd.apache.org>
Delivered-To: mailing list test-dev@httpd.apache.org
Received: (qmail 25396 invoked from network); 4 Sep 2002 17:43:48 -0000
X-Authentication-Warning: cancer.clove.org: jerenk set sender to
 jerenkrantz@apache.org using -f
Date: Wed, 4 Sep 2002 10:43:51 -0700
From: Justin Erenkrantz <jerenkrantz@apache.org>
To: test-dev@httpd.apache.org
Subject: Re: [PATCH] flood: basic user auth
Message-ID: <20020904174351.GW16785@apache.org>
Mail-Followup-To: Justin Erenkrantz <jerenkrantz@apache.org>,
	test-dev@httpd.apache.org
References: <20020904184039.30a14290.jacek.prucia@7bulls.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020904184039.30a14290.jacek.prucia@7bulls.com>
User-Agent: Mutt/1.4i
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

On Wed, Sep 04, 2002 at 06:40:39PM +0200, Jacek Prucia wrote:
> <url user="Aladdin" password="open
> sesame">http://localhost:8080/auth</url>

To me, this seems a fair enough compromise for right now as it
seems some people really want this feature now.

> I can also prepare round-robin-auth.xml, but it would then require
> public resource protected (?) with well-known username and password.
> Maybe somebody can setup such a beast on www.apache.org? ;) To be honest
> I was thinking about http://httpd.apache.org/test/flood/test/ (yeah...
> this url is stupid... it is supposed to be just a proof of concept) with
> a bunch of files there. We could then demonstrate anything flood is

That's perfectly okay with me.  We can do all of that via .htaccess
configuration.  We can arrange for you to get the right access to
the repositories and servers to setup this area.

> capable of (regexp matches, failures, auth and this kind of stuff). With
> such setup changes in google responses wouldn't be that bad ;))

Yeah, it'd ensure that our examples don't break on us.  But, it's
kind of cool to use Google in the examples.  =)

> BTW: This patch kinda suck. The proper way to do this would be to define
> realms like this:
> 
> <realm>
>    <name>test</name>
>    <user>foo</user>
>    <password>bar</password>
>    <!-- if somebody want to simulate typing -->
>    <delay>10</delay>
> </realm>

Not sure we'd want delay in the realm (that seems more like a
property of the URL not the auth realm), but yeah, I agree that
this makes better sense.  Yet, I don't see a need to hold up
adding basic user auth support for this (unless you want to
code it up first).

> ...and react to WWW-Authenticate header just like browsers and other
> tiny clients (like wget) do. And I think we want to mimic browser
> behaviour. OTOH this brings up other issue -- an url list where we can
> insert new urls in realtime (like is planned for 3xx responses), which
> needs a bit more work...

*sigh*  Yeah, that's one thing we've always thought about, but never
really implemented (allowing following of 3xx).  If you wish to
take a stab at it, be our guest.  Almost certainly, we'd have to
discuss it on-list first before coding it up.  -- justin