httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Patrick L. Nolan" <...@razzle.Stanford.EDU>
Subject Re: [users@httpd] Two levels of authentication
Date Thu, 21 Aug 2003 17:45:28 GMT
> Patrick L. Nolan wrote:
> > <Directory /home/www/htdocs/elite>
> > AuthName "Private area for elite users"
> > </Directory>
> >
> > <Directory /home/www/htdocs/ordinary>
> > AuthName "The area for the ordinary folks"
> > </Directory>
> 
> You see, it isn't Apache that desides whether or not the user is prompted
> for the credentials. As HTTP is a stateless protocol with no concept of
> sessions, the User-Agent is required to send the credentials with each and
> every request, so it could theoretically challenge the user each time a
> resource is requested. However, it is supposed to recognize "authentication
> realms" together with URL scope (eg. so that it doesn't send passwords to
> another site) to recycle the credentials, and as your realms are named
> differently the User-Agent MUST NOT send credentials for the other without
> prompting the user. So, if your 'elite' area is located in a sub directory,
> you might be able to achieve this by giving the realm the same name. If they
> are on different hosts, you will not be able to do this without serious
> client side hacks (eg. set location to 'http://login:pass@elitehost/' with
> JavaScript).
> 
> However, unless I misunderstand something about your requirements, shouldn't
> you be able to have all users in the same database but create an 'elite'
> group that is allowed into the 'elite' area?
> 

Thanks for the response.  It is the only one I have received so far.

I have proposed a different scheme, which I hope will be approved.  There
will be two groups.  The elite area will require the elite group, while
the ordinary area will accept either one.  It seems to work if the same
passwords are used in the two areas.

The identical passwords seems to be important.  I tried to have a
different password in the two areas, and it challenged me whenever I
moved from one to the other.  My guess is that the credential has
several components, one of which is the password.  Whenever any component
changes, then there is a new challenge.  I haven't seen this written
down anywhere.  Do I understand it correctly?

*   Patrick L. Nolan                                          *
*   W. W. Hansen Experimental Physics Laboratory (HEPL)       * 
*   Stanford University                                       *


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message