httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Konowalec <kevin.konowa...@ualberta.ca>
Subject [users@httpd] Authentication restriction
Date Mon, 07 Mar 2005 21:28:49 GMT
Is it possible to restrict AuthTypes based on specific criteria?  Our 
policy has changed such that we are no longer allowing the use of 
Kerberos passwords via non SSL-enabled connections.  So would it be 
possible to only allow users connected via HTTPS to be able to 
authenticate via kerberos (using mod_auth_kerb)?

Say, for example, a user has set up an htaccess authenticated directory 
within their home space.

https;//www.example.com/~someuser/secure/

If the user chooses to use Kerberos authentication as the AuthType, 
then anyone accessing the page from an HTTP connection should get a 
custom error page saying something like:

The page you are attempting to retrieve is no longer accessible via 
HTTP.  The new URL is https;//www.example.com/~someuser/secure/ .  
Please update your bookmarks.


It's not only user space that will be affected here.  Any directory 
using Kerberos as an authentication mechanism must only be accessible 
via HTTPS and get that error page otherwise.  Basic or Digest 
authentication are still fair game either way (though if there was no 
other way than to restrict them as well to HTTPS it wouldn't be a huge 
issue)


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message