httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vincenzo D'Amore" <v.dam...@gmail.com>
Subject Re: [users@httpd] Authenticating with subfolders
Date Tue, 21 May 2013 10:51:00 GMT
Hi Bruno,

just read again the RFC you stated, I'm not sure about the assumption that
a realm can be contained within another.
Or may be the implementation done by Apache httpd cannot support multiple
nested realms.

As far as I see, you can define just one Realm that, eventually, override
the existing one.

This is from "Authentication and Authorization" (
http://httpd.apache.org/docs/2.2/howto/auth.html )

*The AuthName directive sets the Realm to be used in the authentication.
The realm serves two major functions. First, the client often presents this
information to the user as part of the password dialog box. Second, it is
used by the client to determine what password to send for a given
authenticated area.*

On the other hand, I took a look at HTTP header during the conversation
between server and agent.
Well, the Agent, within its Request, sends an Authorization header quite
simple.
It don't even specify the realm, only type and credential:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

So I'm not sure it is possible have multiple realm.

Best,
Vincenzo




2013/5/21 Vincenzo D'Amore <v.damore@gmail.com>

> Hi Bruno,
>
> may be you're right, I read long time ago, but actually don't remember
> exactly the RFC.
> So now I have just implemented such configuration with Apache 2.2.
>
> Into the document root I have created a .htaccess with this configuration:
>
> AuthType Basic
> AuthName "Root Restricted Files"
> AuthBasicProvider file
> AuthUserFile /var/www/.htpasswd
> require valid-user
>
> After I created a directory /var/www/test1 where I have created a new
> .htaccess file with this configuration:
>
> AuthType Basic
> AuthName "Test1 Restricted Files"
> AuthBasicProvider file
> AuthUserFile /var/www/test1/.htpasswd
> require valid-user
>
> Into /var/www/.htpasswd  there is:
>
> # htpasswd -bn root password
>
> root:UYMXijHR5MW42
>
> Into  /var/www/test1/.htpasswd there is:
>
> # htpasswd -bn test1 password1
>
> test1:P5ENtSmla14FQ
>
> Well, it is working pretty well, please try it.
> I have also tried to add a third directory with different credential,
> every thinks works like a charm :)
>
> Best,
> Vincenzo
>
>
> 2013/5/21 Bruno Tréguier <Bruno.Treguier@shom.fr>
>
>> Le 21/05/2013 à 11:07, Vincenzo D'Amore a écrit :
>> > Hi Miguel,
>> >
>> > yes it is possible, you could add a couple of file in each directory
>> > (.htaccess and .htpasswd).
>> > Those files should override the root authentication configuration with a
>> > new local config.
>> >
>> > I suggest to read here how to implement such configuration:
>> >
>> > http://httpd.apache.org/docs/2.2/howto/auth.html
>>
>> Hello Vincenzo and Miguel,
>>
>> I've been looking for such a configuration as well long ago, and I had
>> come to the conclusion that it was not possible, as only *one*
>> Authorization header is allowed (as far as I know).
>>
>> RFC2616 (HTTP/1.1)  also states, in its §14.8:
>>
>> "If a request is authenticated and a realm specified, the same
>> credentials SHOULD be valid for all other requests within this realm".
>>
>> So, as I undestand it, you cannot use a login/password pair for a local
>> resource accessible via, e.g., "/a/", and another login/password pair
>> for another local resources located "under", e.g. "/a/b/" (as accessing
>> /a/b/'s realm implies accessing "/a/'s realm first).
>>
>> I may be wrong, that being said, but if anyone has a solution for that,
>> I'd love to read how it was implemented.
>>
>> Regards,
>>
>> Bruno
>>
>> --
>> - Service Hydrographique et Oceanographique de la Marine  -  DMGS/INF
>> -  13, rue du Chatellier -  CS 92803  - 29228 Brest Cedex 2, FRANCE
>> -     Phone: +33 2 98 22 17 49  -  Email: Bruno.Treguier@shom.fr
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> --
> Vincenzo D'Amore
> email: v.damore@gmail.com
> skype: free.dev
> mobile: +39 349 8513251
>



-- 
Vincenzo D'Amore
email: v.damore@gmail.com
skype: free.dev
mobile: +39 349 8513251

Mime
View raw message