interested in how to get the new mod_auth_form module to work

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: interested in how to get the new mod_auth_form module to work
From: Dennis Clarke <dclarke@xxxxxxx>
Date: Thu, 29 Aug 2013 22:39:48 -0400
Organization: ADBS Inc.
Reply-to: users@xxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130704 Icedove/17.0.7

I see that the new mod_auth_form module should provide a better
looking way to do the same old thing : login to Apache. So I
ensured that I had this in my httpd.conf :

LoadModule auth_form_module modules/mod_auth_form.so

I then wanted to try AuthFormLogoutLocation and put in this Location :


<Location /logout>
    SetHandler form-logout-handler
    AuthFormLogoutLocation https://my.server.com/logged_out.html
    Session on
</Location>

This is taken directly from the docs at :

http://httpd.apache.org/docs/current/mod/mod_auth_form.html#authformlogoutlocation

I am able then to go see my server-info via this :

<Location /server-info>
    SetHandler server-info
    AuthType basic
    AuthName "someauthnamehere"
    AuthBasicProvider file
    AuthUserFile /usr/local/www/conf/.htpasswd
    AuthGroupFile /usr/local/www/conf/.htgroup

    Require group webadmin

</Location>

Which shows me that indeed the module is loaded and I have the followingconfig :



Module Name: mod_auth_form.c
Content handlers: yes

Configuration Phase Participation: Create Directory Config, MergeDirectory ConfigsRequest Phase Participation: Verify User ID, Note AuthenticationFailure, Content Handlers

Module Directives:

AuthFormProvider - specify the auth providers for a directory orlocation

    AuthFormUsername - The field of the login form carrying the username
    AuthFormPassword - The field of the login form carrying the password

AuthFormLocation - The field of the login form carrying the URL toredirect on successful login.AuthFormMethod - The field of the login form carrying the originalrequest method.AuthFormMimetype - The field of the login form carrying theoriginal request mimetype.AuthFormBody - The field of the login form carrying the urlencodedoriginal request body.

    AuthFormSize - Maximum size of body parsed by the form parser

AuthFormLoginRequiredLocation - If set, redirect the browser tothis URL rather than return 401 Not Authorized.AuthFormLoginSuccessLocation - If set, redirect the browser to thisURL when a login processed by the login handler is successful.AuthFormLogoutLocation - The URL of the logout successful page. Anattempt to access an URL handled by the handler form-logout-handler willresult in an redirect to this page after logout.AuthFormSitePassphrase - If set, use this passphrase to determinewhether the user should be authenticated. Bypasses the userauthentication check on every website hit, and is useful for hightraffic sites.AuthFormAuthoritative - Set to 'Off' to allow access control to bepassed along to lower modules if the UserID is not known to this moduleAuthFormFakeBasicAuth - Set to 'On' to pass through authenticationto the rest of the server as a basic authentication header.AuthFormDisableNoStore - Set to 'on' to stop the sending of aCache-Control no-store header with the login screen. This allows thebrowser to cache the credentials, but at the risk of it being possiblefor the login form to be resubmitted and revealed to the backend serverthrough XSS. Use at own risk.

Current Configuration:
    In file: /usr/local/www/conf/httpd.conf
     110: <Location /logout>
     112:   AuthFormLogoutLocation https://my.server.com/logged_out.html
        : </Location>
     129: <Directory "/usr/local/apache/www/data/htdocs/testfolder">
     130:   AuthFormProvider file
        : </Directory>


Not much I know but I wanted to start simply.

Well when I try to go to that location /logout I get a big ol' ServerError 401 Unauthorizedwhich is a bit odd given that I am in fact logged in or I could not seethe Location

for server-info.

So what am I missing here ?

Do I need to specify a pile of auth requirements in order to allow logout ?

Something like this :


    AuthType basic
    AuthName "someauthnamehere"
    AuthBasicProvider file
    AuthUserFile /usr/local/www/conf/.htpasswd
    AuthGroupFile /usr/local/www/conf/.htgroup

    Require validuser

    AuthFormLogoutLocation https://my.server.com/logged_out.html

    Session on


?  Seems counter intuitive to need a user to login in order to allow logout
via the handler form-logout-handler.

What am I missing .. besides everything :-\

Dennis

ps: Apache 2.4.4 here

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Prev by Date: html access of object on server
Next by Date: INTERNAL REDIRECT
Previous by thread: html access of object on server
Next by thread: mod_vhost_alias does not resolve "%0"
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]