httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J.Lance Wilkinson" <jl...@psu.edu>
Subject Re: [users@httpd] Single Value Authentication Module
Date Mon, 12 Sep 2011 16:03:47 GMT
Terry Carmen wrote:
> 
> 
> Quoting "J.Lance Wilkinson" <jlw12@psu.edu>:
> 
>  > I'm looking for a VERY SIMPLE single value authentication module 
> (like BASIC
>  > Authentication, but only a USER ID, no prompt for PASSWORD) for 
> Apache 2.2.x.
>  >  User IDs that will be used are going to be long numeric transaction ids
>  > provided by an external e-commerce site.
> 
> You'll probably find it much simpler to use the standard basic auth 
> mechanism, use your transaction id for the login and pass in a dummy 
> password.

	Not sure how I'd "pass in a dummy password." from my HTTPD
	to the user's browser.
> 
> You could also play with the Require directive.

	I would be using Require valid-user or whatever was needed to
	force the transaction ID to match what's found in the transaction
	ID valid list.

> 
> Although I've never tried it, and it seems like a really bad idea, it 
> will supposedly accept a Boolean expression, so you could try "Require 
> true" or something similar.

	Agreed.  Sounds like a bad idea.
> 
> In any case, if your transaction IDs can be predicted or brute-forced, 
> this all sounds like a really bad idea.

	I guess an alternative would be to use the transaction ID as the
	USER (required unique) and then use as the password the name of
	the entity associated with that transaction.

	If I don't get any further recommendations for alternatives that
	would let me get by with a single input factor, that'll probably
	be the best option.
-- 
J.Lance Wilkinson ("Lance")		InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead	Phone: (814) 865-4870
Digital Library Technologies		FAX:   (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message