httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Sean Conner)
Subject [users@httpd] Apache Authentication questions
Date Wed, 07 Dec 2005 22:05:42 GMT

  I'm playing around with authentication schemes under Apache.  In reading
the spec [1] I notice that a server can send multiple authentication

  Now, Apache has support for both Basic and Digest authentication schemes,
and that both the scheme and userid are included with the request, so a CGI
script can determine if the request was made via the Basic scheme or Digest

  So far so good.

  But the Digest scheme isn't supported in all browsers, just the most
recent versions.  It would be nice to support both [2].  I tried the
following under both Apache 1.3.33 and Apache 2.0.54:

  DocumentRoot  /home/spc/wiki/htdocs
  CustomLog     logs/ combined

  # bunch of ErrorDocument directives snipped
  # not germane to the discussion here ... 

  <Directory /home/spc/wiki/htdocs>
    AllowOverride       All
    Options             All

    AuthType            Basic
    AuthName            "Wiki Editing"
    AuthUserFile        /home/spc/blog/users
    AuthGroupfile       /home/spc/blog/groups

    <LimitExcept GET HEAD>
      Require   valid-user

  <Location "/edit/">
    Require valid-user

  <Directory /home/spc/wiki/htdocs/private>
    AllowOverride       All
    Options             All

    AuthType            Basic
    AuthName            Administration
    AuthUserFile        /home/spc/wiki/users
    AuthGroupFile       /home/spc/wiki/groups
    Require             group admin

    AuthType            Digest
    AuthName            Administration
    AuthDigestFile      /home/spc/wiki/digest-users
    AuthDigestGroupFile /home/spc/wiki/groups
    Require             group admin


(configuration is the same under both versions).  The configuration works
(that's not the problem), but Apache (both versions) seems to prefer the
Digest method and never mentions the Basic scheme at all:

	Connected to
	Escape character is '^]'.
	GET /private/ HTTP/1.0
	HTTP/1.1 401 Authorization Required
	Date: Wed, 07 Dec 2005 21:53:35 GMT
	Server: Apache/2.0.54 (Unix) DAV/2
	WWW-Authenticate: Digest realm="Administration",
	Last-Modified: Wed, 07 Dec 2005 21:20:34 GMT
	ETag: "a041cc-89e-b8ff4c80"
	Accept-Ranges: bytes
	Content-Length: 2206
	Connection: close
	Content-Type: text/html

I've yet to try Apache 2.2, but can Apache be configured to support mutiple
authentication schemes for the same directory/location?  Am I missing

  -spc (If not, oh well ... I can deal ... )

[1]	RFC-2617: HTTP Authentication: Basic and Digest Access

[2]	Just playing around with an idea, and Digest is the preferred
	method, but I would like to support the Basic scheme, just a 
	bit differently though.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message