Re: mod_cgi not passing headers for authentication

[Jonathon Koyle <litereader@xxxxxxxxx>]

That standard states:

 

if the client request required authentication for external
access, then the server MUST set the value of this variable from the
'auth-scheme' token in the request Authorization header field.

However, you are configuring Apache to NOT authenticate and therefore Apache CANNOT provide those headers.
It never asked for them, and has no knowledge of any authentication you are requiring in the CGI script.

At this point, the 'authenticating server` is your CGI script.

Also, keep in mind it also provides this disclaimer:

   This document is not a candidate for any level of Internet Standard.
   The IETF disclaims any knowledge of the fitness of this document for
   any purpose, and in particular notes that it has not had IETF review
   for such things as security, congestion control or inappropriate
   interaction with deployed protocols.  The RFC Editor has chosen to
   publish this document at its discretion.  Readers of this document
   should exercise caution in evaluating its value for implementation
   and deployment.

On Sun, Mar 1, 2020 at 11:33 AM Roderick <hruodr@xxxxxxxxx> wrote:

I do not want apache "doing basic auth". I want to do it in the
cgi script myself, and as I understand RFC3875, the headers in
question should be passed for that purpose.

Thanks anyway
Rodrigo


On Sun, 1 Mar 2020, Eric Covener wrote:

> If Apache isn't doing basic auth, it can't supply REMOTE_USER to you,
> because it hasn't authenticated anyone.  Similar for AUTH_TYPE -- the
> server hasn't done any auth.
> Authorization isn't passed by default intentionally as a typical CGI
> has no business w/ the users credentials.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

--

Jonathon Koyle