Joshua Slive wrote:
On 3/28/06, Joost de Heer <sanguis@xxxxxxxxx> wrote:David Knecht wrote:This is probably a rather simple question related to single sign-on to virtual hosts. Although I did some research I need some advice that points me to the right direction... This is the environment: Virtual host A; Allowed users: administrator, user_a Virtual host B; Allowed users: administrator, user_b Virtual host C; Allowed users: administrator, user_a, user_c I'd like to create an administrator account using Apache's basic authentication feature. Whenever the administrator is successfully authenticated to one of these virtual hosts then no additional authentication/login should be required when accessing the other virtual hosts. The same applies to non-administrator users. Here, every individual user is allowed to login only to explicitely assigned virtual hosts. I am currently using this type of authentication definitions in every single virtual host container of my test setup: ... <Location "/xyz"> AuthType Basic AuthName "Virtual Host A" AuthUserFile /etc/httpd/virtual_host_a_htpasswd Require valid-user </Location> ... Every virtual host container is currently using its own AuthUserFile. I assume that using one single AuthUserFile (/etc/httpd/htpasswd) for all user definitions as well as "Require administrator user_a" etc. on every individual virtual host is the way to go. However, I did not manage to make the single sign-on work so far...Something like this: - Have all vhosts use the same AuthName - Make a groups file with groups 'vhosta', 'vhostb' etc, and fill the group with the members that may use that vhost - require membership of the proper authgroup. Once you start using different authnames, you can forget SSO, since a different realm will be used for different vhosts.Different hosts will require a new prompt regardless of the AuthName. Otherwise you could easily steal passwords from other sites just bycopying their AuthName. So the punchline is that it is impossible to do SSO across different hosts with http basic auth. You need to use another technique to manage sessions like cookies or special URLs. Joshua.
Thanks. I guess I am going to give http://idcheck.sourceforge.net/ a try. David --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|