httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Sherk Forerunner Ministries <j...@ForerunnerTV.com>
Subject Re: [users@httpd] Can you supply username & password for AuthType Basic within a POST/GET?
Date Wed, 26 Aug 2009 22:16:24 GMT
Thanks Andre, Mike, Eric and Nick... I will read up on authentication so 
I can better grasp it!!


André Warnier wrote:
> Jeff Sherk Forerunner Ministries wrote:
>> When requiring a username & password with AuthType Basic, is it 
>> possible to include them in a POST or GET request to the server so 
>> that it won't ask for them (because they were provided)?
>>
>> If it's possible, what variable names are assigned to them.
>>
> Jeff,
> I believe you have a bit more studying to do in terms of HTTP 
> authentication scriptures.
>
> I recommend to you the following on-line documents, in that order :
> a) http://en.wikipedia.org/wiki/Basic_access_authentication
> b) http://httpd.apache.org/docs/2.2/howto/auth.html
> c) http://tools.ietf.org/html/rfc1945#section-11.1
>
> The truth is in there.  Unfortunately, these documents can be a bit 
> hermetic to the non-initiated, so here is a short introduction :
>
> On a webserver, you usually define different areas containing 
> documents, and corresponding URLs to access them.
> In Apache, these areas and URLs correspond more or less to 
> configuration sections such as <Directory> and <Location>.
> (You can also use a .htaccess file inside of the directory itself, but 
> that is frowned upon if you have access to the main webserver 
> configuration).
>
> If you want to protect access to such a Directory or Location, you can 
> specify rules, as described in (b) above.
>
> For the "basic" type of authentication, ("AuthType Basic"), the 
> parameter : "AuthName xxxxxxxxxxxx" is also very important.
>
> You can have different server areas which are covered by the same 
> "AuthName".  This is like in a building, you could have different 
> rooms marked "Prophets Only", while other rooms are marked "Mere 
> Converts OK".
> As soon as one has authenticated for one of the "Prophets Only" areas, 
> he is allowed to access any other room marked "Prophets Only", without 
> needing to supply his credentials again.
>
> The way it works, is that a browser "remembers" that it has already 
> accessed one of the "Prophets Only" areas previously within the same 
> browser session.
> So when he accesses a new area, when the server responds that for this 
> one, one needs a "Prophets Only" authentication, the browser just 
> looks in its cache to see if it already has one of those, and if yes, 
> it re-issues the same request again, without user intervention, but 
> this time with the appropriate request header providing his "Prophets 
> Only" authentication credentials.
> This all happens automatically, without the user even noticing.
>
> It is only the first time that the browser accesses a "Prophets Only" 
> area, that it does not find this in its cache, and has to ask the user 
> to provide a user-id and password.
>
> So, to get back to your original question above :
> - you do not need to do anything special to get this behaviour, other 
> than making sure that the different areas of your server which you 
> want to be covered by the /same/ credentials, use the /same/ 
> "AuthName" value.
> - there are no "variables" assigned to this.  It happens via HTTP 
> headers which the browser automatically adds to the request, when 
> applicable.(*)
>
> Now I suggest that you re-read document (b) above once more, hoping 
> that with this short overview it will now be more accessible.
>
>
> (*) This is not entirely true.  It is generally the case, when a 
> request has been "authenticated" by Apache, that a script running 
> under Apache can access the authenticated user-id assigned to this 
> request.
> To see how however, you will have to consult yet more documentation, 
> depending on the programming language these scripts are written in.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message