I'm playing around with authentication schemes under Apache. In reading
the spec [1] I notice that a server can send multiple authentication
schemes.
Now, Apache has support for both Basic and Digest authentication schemes,
and that both the scheme and userid are included with the request, so a CGI
script can determine if the request was made via the Basic scheme or Digest
scheme:
AUTH_TYPE=Digest
REMOTE_USER=sean@xxxxxxxxxx
So far so good.
But the Digest scheme isn't supported in all browsers, just the most
recent versions. It would be nice to support both [2]. I tried the
following under both Apache 1.3.33 and Apache 2.0.54:
<VirtualHost 66.252.224.11>
ServerName wiki.flummux.org
ServerAdmin sean@xxxxxxxxxx
DocumentRoot /home/spc/wiki/htdocs
CustomLog logs/wiki.flummux.org combined
# bunch of ErrorDocument directives snipped
# not germane to the discussion here ...
<Directory /home/spc/wiki/htdocs>
AllowOverride All
Options All
AuthType Basic
AuthName "Wiki Editing"
AuthUserFile /home/spc/blog/users
AuthGroupfile /home/spc/blog/groups
<LimitExcept GET HEAD>
Require valid-user
</LimitExcept>
</Directory>
<Location "/edit/">
Require valid-user
</Location>
<Directory /home/spc/wiki/htdocs/private>
AllowOverride All
Options All
AuthType Basic
AuthName Administration
AuthUserFile /home/spc/wiki/users
AuthGroupFile /home/spc/wiki/groups
Require group admin
AuthType Digest
AuthName Administration
AuthDigestFile /home/spc/wiki/digest-users
AuthDigestGroupFile /home/spc/wiki/groups
Require group admin
</Directory>
</VirtualHost>
(configuration is the same under both versions). The configuration works
(that's not the problem), but Apache (both versions) seems to prefer the
Digest method and never mentions the Basic scheme at all:
Trying 66.252.224.11...
Connected to wiki.flummux.org.
Escape character is '^]'.
GET /private/ HTTP/1.0
Host: wiki.flummux.org
HTTP/1.1 401 Authorization Required
Date: Wed, 07 Dec 2005 21:53:35 GMT
Server: Apache/2.0.54 (Unix) DAV/2
WWW-Authenticate: Digest realm="Administration",
nonce="2C4cL1wHBAA=3f5f62f8b6181df23b6f8381c8860f3001cbd877",
algorithm=MD5,
qop="auth"
Last-Modified: Wed, 07 Dec 2005 21:20:34 GMT
ETag: "a041cc-89e-b8ff4c80"
Accept-Ranges: bytes
Content-Length: 2206
Connection: close
Content-Type: text/html
I've yet to try Apache 2.2, but can Apache be configured to support mutiple
authentication schemes for the same directory/location? Am I missing
something?
-spc (If not, oh well ... I can deal ... )
[1] RFC-2617: HTTP Authentication: Basic and Digest Access
Authentication
[2] Just playing around with an idea, and Digest is the preferred
method, but I would like to support the Basic scheme, just a
bit differently though.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|