tcl-websh-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ronnie Brunner <>
Subject Re: Authentification
Date Fri, 10 Apr 2009 20:54:47 GMT
Hi again

> > some time ago (Apr 2006) we had a discussion on how to add access to
> > user/password from the authentication of APACHE.
> > For this new installation I decided to use the newest version from
> > SVN, also because there were some bugfixes with response and APACHE
> > 2.2 reported. I sadly recognized, that the changes were not in
> > (yet). Any plans to do so?

I just committed some changes that expose Bais Auth user and password
to Websh. (Aren't religious holidays like "Karfreitag" a wonderful thing
for us developers with a daytime job? ;-)

The new paragraphs from the (committed, but unpublished) quick
reference (request_data_handling.html):

""Special case for handling Basic Auth:

web::request AUTH_USER
    returns the username provided by the user when Basic Auth is
    requested and Apache does not handle it (i.e. if Apache does not
    provide REMOTE_USER). 
web::request AUTH_PW
    returns the password provided by the user when Basic Auth is
    requested and Apache does not handle it (i.e. if Apache does not
    provide REMOTE_USER). 

The following example provides a basic app that requires Basic Auth
and completely bypasses Apache's auth mechanisms.

Example 7. web::request AUTH_USER and web::request AUTH_PW

  # returns 1 if user/pass provided is websh/websh
  proc isAuthenticated {} {
    if {[web::request -count AUTH_USER]} {
    set user [web::request AUTH_USER]
    set pass [web::request AUTH_PW]
    if {[string eq $user "websh"] && [string eq $pass "websh"]} {
        return 1
    return 0

  # the default command requests Basic Auth unless provided correctly
  web::command default {
    if {![isAuthenticated]} {
    web::response -set Status {401 Authorization Required}
    web::response -set WWW-Authenticate {Basic realm="Websh auth"}
    web::put "Sorry, you're out"
    } else {
    web::put "You're in"

  # command dispath

Note: CGI usually does not expose the Basic Auth Authorization header
for security reasons. The following configuration for Apache (as of
version 2.0.51) will allow Websh to also provide the same
functionality when running in CGI (requires mod_setenvif):

Example 8. Apache configuration for AUTH_USER and AUTH_PW to work
           under CGI

  SetEnvIf Authorization "^(Basic .+)$" AUTH_BASIC=$1

Important security consideration: This configuration will also expose
the authentication information to Websh when Apache does handle the
authentication. Although Websh hides the information in that case it
is always available in the CGI environment. Use this Configuration

If you ever find the time to play around with this let me know if it
works for you.

Best regards
Ronnie Brunner |
phone +41-44-247 79 79 | fax +41-44-247 70 75
Netcetera AG | 8040 Z├╝rich | Switzerland |

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message