Re: Authenticating with subfolders (Apache Users)

Hi Bruno,

just read again the RFC you stated, I'm not sure about the assumption that a realm can be contained within another.

Or may be the implementation done by Apache httpd cannot support multiple nested realms.

As far as I see, you can define just one Realm that, eventually, override the existing one.

This is from "Authentication and Authorization" ( http://httpd.apache.org/docs/2.2/howto/auth.html )

The AuthName directive sets the Realm to be used in the authentication. The realm serves two major functions. First, the client often presents this information to the user as part of the password dialog box. Second, it is used by the client to determine what password to send for a given authenticated area.

On the other hand, I took a look at HTTP header during the conversation between server and agent.

Well, the Agent, within its Request, sends an Authorization header quite simple.

It don't even specify the realm, only type and credential:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

So I'm not sure it is possible have multiple realm.

Best,

Vincenzo

2013/5/21 Vincenzo D'Amore <v.damore@xxxxxxxxx>

Hi Bruno,

may be you're right, I read long time ago, but actually don't remember exactly the RFC.

So now I have just implemented such configuration with Apache 2.2.

Into the document root I have created a .htaccess with this configuration:

AuthType Basic
AuthName "Root Restricted Files"

AuthBasicProvider file
AuthUserFile /var/www/.htpasswd
require valid-user

After I created a directory /var/www/test1 where I have created a new .htaccess file with this configuration:

AuthType Basic
AuthName "Test1 Restricted Files"
AuthBasicProvider file
AuthUserFile /var/www/test1/.htpasswd
require valid-user

Into /var/www/.htpasswd there is:

# htpasswd -bn root password

root:UYMXijHR5MW42

Into /var/www/test1/.htpasswd there is:

# htpasswd -bn test1 password1

test1:P5ENtSmla14FQ

Well, it is working pretty well, please try it.

I have also tried to add a third directory with different credential, every thinks works like a charm :)

Best,
Vincenzo

2013/5/21 Bruno Tréguier <Bruno.Treguier@xxxxxxx>
Le 21/05/2013 à 11:07, Vincenzo D'Amore a écrit :

> Hi Miguel,
>
> yes it is possible, you could add a couple of file in each directory
> (.htaccess and .htpasswd).
> Those files should override the root authentication configuration with a
> new local config.
>
> I suggest to read here how to implement such configuration:
>
> http://httpd.apache.org/docs/2.2/howto/auth.html

Hello Vincenzo and Miguel,

I've been looking for such a configuration as well long ago, and I had
come to the conclusion that it was not possible, as only *one*
Authorization header is allowed (as far as I know).

RFC2616 (HTTP/1.1) also states, in its §14.8:

"If a request is authenticated and a realm specified, the same
credentials SHOULD be valid for all other requests within this realm".

So, as I undestand it, you cannot use a login/password pair for a local
resource accessible via, e.g., "/a/", and another login/password pair
for another local resources located "under", e.g. "/a/b/" (as accessing
/a/b/'s realm implies accessing "/a/'s realm first).

I may be wrong, that being said, but if anyone has a solution for that,
I'd love to read how it was implemented.

Regards,

Bruno

--
- Service Hydrographique et Oceanographique de la Marine - DMGS/INF
- 13, rue du Chatellier - CS 92803 - 29228 Brest Cedex 2, FRANCE
- Phone: +33 2 98 22 17 49 - Email: Bruno.Treguier@xxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

--
Vincenzo D'Amore
email: v.damore@xxxxxxxxx
skype: free.dev
mobile: +39 349 8513251

Vincenzo D'Amore
email: v.damore@xxxxxxxxx
skype: free.dev
mobile: +39 349 8513251