httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Knecht <david.kne...@anyweb.ch>
Subject Re: [users@httpd] Re: Single Sign-On to Virtual Hosts
Date Wed, 29 Mar 2006 13:34:10 GMT
Joshua Slive wrote:
> On 3/28/06, Joost de Heer <sanguis@xs4all.nl> wrote:
>> David Knecht wrote:
>>> This is probably a rather simple question related to single sign-on to
>>> virtual hosts. Although I did some research I need some advice that
>>> points me to the right direction...
>>>
>>> This is the environment:
>>>
>>> Virtual host A; Allowed users: administrator, user_a
>>> Virtual host B; Allowed users: administrator, user_b
>>> Virtual host C; Allowed users: administrator, user_a, user_c
>>>
>>> I'd like to create an administrator account using Apache's basic
>>> authentication feature. Whenever the administrator is successfully
>>> authenticated to one of these virtual hosts then no additional
>>> authentication/login should be required when accessing the other virtual
>>> hosts. The same applies to non-administrator users. Here, every
>>> individual user is allowed to login only to explicitely assigned virtual
>>> hosts.
>>>
>>> I am currently using this type of authentication definitions in every
>>> single virtual host container of my test setup:
>>>
>>> ...
>>>       <Location "/xyz">
>>>               AuthType Basic
>>>               AuthName "Virtual Host A"
>>>               AuthUserFile /etc/httpd/virtual_host_a_htpasswd
>>>               Require valid-user
>>>       </Location>
>>> ...
>>>
>>> Every virtual host container is currently using its own AuthUserFile. I
>>> assume that using one single AuthUserFile (/etc/httpd/htpasswd) for all
>>> user definitions as well as "Require administrator user_a" etc. on every
>>> individual virtual host is the way to go. However, I did not manage to
>>> make the single sign-on work so far...
>> Something like this:
>>
>> - Have all vhosts use the same AuthName
>> - Make a groups file with groups 'vhosta', 'vhostb' etc, and fill the
>> group with the members that may use that vhost
>> - require membership of the proper authgroup.
>>
>> Once you start using different authnames, you can forget SSO, since a
>> different realm will be used for different vhosts.
> 
> Different hosts will require a new prompt regardless of the AuthName. 
> Otherwise you could easily steal passwords from other sites just by
> copying their AuthName.
> 
> So the punchline is that it is impossible to do SSO across different
> hosts with http basic auth.  You need to use another technique to
> manage sessions like cookies or special URLs.
> 
> Joshua.

Thanks. I guess I am going to give http://idcheck.sourceforge.net/ a try.

David


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message