httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rufustfire...@subdimension.com
Subject Re: Basic Authentication from C
Date Thu, 02 May 2002 16:09:46 GMT
> On Thu, 2 May 2002 rufustfirefly@subdimension.com wrote:
>
> > I've been trying to hack the xmlrpc-c library to support
> > server-side basic authentication, but I can't find any
> > environmental variable or method of accessing the
> > password that should be passed by basic authentication.
> > Some servers use HTTP_AUTHENTICATION, others use
> > AUTH_PASS or REMOTE_PASS, but I can't find any instance
> > of these in the apache source.
> >
> > Is there a way to access the Basic: header, either
> > through environmental variables or another trick?
>
> For important security reasons, you can access the
> password only if you are running as an apache module, not
> if you are running as a cgi script. The password is not
> placed in the environment.
> (There is a SECURITY_HOLE_PASS_AUTHORIZATION compile time
> define (or something similar) that will allow this, but it
> is certainly not recommended.)

I'm not quite following you concerning the reasoning; even
if it is a huge security hole (for basic authentication...),
why not allow a configuration directive letting this
capability be set on or off? Then it would be possible to
write CGI's that access the information only when it is
neccessary.

Thanks,
Jeff
_____________________________________________________________________
// free anonymous email || forums \\ subZINE || anonymous browsing 
            subDIMENSION -- http://www.subdimension.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message