Re: [users@httpd] Re: Single Sign-On to Virtual Hosts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/28/06, Joost de Heer <sanguis@xxxxxxxxx> wrote:
> David Knecht wrote:
> > This is probably a rather simple question related to single sign-on to
> > virtual hosts. Although I did some research I need some advice that
> > points me to the right direction...
> >
> > This is the environment:
> >
> > Virtual host A; Allowed users: administrator, user_a
> > Virtual host B; Allowed users: administrator, user_b
> > Virtual host C; Allowed users: administrator, user_a, user_c
> >
> > I'd like to create an administrator account using Apache's basic
> > authentication feature. Whenever the administrator is successfully
> > authenticated to one of these virtual hosts then no additional
> > authentication/login should be required when accessing the other virtual
> > hosts. The same applies to non-administrator users. Here, every
> > individual user is allowed to login only to explicitely assigned virtual
> > hosts.
> >
> > I am currently using this type of authentication definitions in every
> > single virtual host container of my test setup:
> >
> > ...
> >       <Location "/xyz">
> >               AuthType Basic
> >               AuthName "Virtual Host A"
> >               AuthUserFile /etc/httpd/virtual_host_a_htpasswd
> >               Require valid-user
> >       </Location>
> > ...
> >
> > Every virtual host container is currently using its own AuthUserFile. I
> > assume that using one single AuthUserFile (/etc/httpd/htpasswd) for all
> > user definitions as well as "Require administrator user_a" etc. on every
> > individual virtual host is the way to go. However, I did not manage to
> > make the single sign-on work so far...
>
> Something like this:
>
> - Have all vhosts use the same AuthName
> - Make a groups file with groups 'vhosta', 'vhostb' etc, and fill the
> group with the members that may use that vhost
> - require membership of the proper authgroup.
>
> Once you start using different authnames, you can forget SSO, since a
> different realm will be used for different vhosts.

Different hosts will require a new prompt regardless of the AuthName. 
Otherwise you could easily steal passwords from other sites just by
copying their AuthName.

So the punchline is that it is impossible to do SSO across different
hosts with http basic auth.  You need to use another technique to
manage sessions like cookies or special URLs.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux