httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Two levels of authentication
Date Mon, 25 Aug 2003 08:23:36 GMT
>-----Original Message-----
>From: Patrick L. Nolan [mailto:pln@razzle.Stanford.EDU]
> 
>
>I have proposed a different scheme, which I hope will be approved.
There
>will be two groups.  The elite area will require the elite group, while
>the ordinary area will accept either one.  It seems to work if the same
>passwords are used in the two areas.
>
>The identical passwords seems to be important.  I tried to have a
>different password in the two areas, and it challenged me whenever I
>moved from one to the other.  My guess is that the credential has
>several components, one of which is the password.  Whenever any
component
>changes, then there is a new challenge.  I haven't seen this written
>down anywhere.  Do I understand it correctly?

It's written down here:
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2068.html#sec-11

Briefly, the server requests authentication credentials and it is up to
the browser to supply them for every request in that directory (or
subdir thereof). The browser prompts the user once then caches the
user/pass and reuses it automatically for every subsequent request. 

If you nest authentication realms, the browser will become very confused
and the results are browser dependent. This is because it will send the
user/pass for what it thinks is a subdir of the authentication dir, but
will get another 401 (Authorisation required). It might prompt you for a
new password (which will overwrite the first one) or throw an error -
either way, it will get all in a pickle. Nesting of realms was not
forseen in RFC2068...

FYI, The credential has two components; username and password which are
concatenated and encoded base-64 and sent in an "Authorization" header.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.  


*   Patrick L. Nolan                                          *
*   W. W. Hansen Experimental Physics Laboratory (HEPL)       * 
*   Stanford University                                       *


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange.
This e-mail is of a private and personal nature. It is not related to
the exchange or business activities of the SWX Swiss Exchange. Le
présent e-mail est un message privé et personnel, sans rapport avec
l'activité boursière de la SWX Swiss Exchange.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message