users@xxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

i have a problem with Authentification.
I currently doubt that it is possible at all.
Perhaps someone can enlighten me how to achive the goal or confirm that it is not reachable.

The scenario is to achieve a mixed authentication/anonymous access similar as described for Subversion (see http://svnbook.red-bean.com/nightly/de/svn-book.html#svn.serverconfig.httpd.authz.perdir.ex-3).

Therefore the ".htaccess" looks something like that:
   Order allow,deny
   Allow from all
   AuthType Basic
   AuthName "Realm"
   AuthUserFile "/some/path/.htusers"
   require valid-user
   Satisfy any

Additionally a PHP script is inside the same folder.
When you now browse to the URL of the PHP script, you can access it without any credentials requested.

At some point the PHP script "decides" that authentification is required (e.g. when passing a param like "?access-secret=1"). Therefore it sends the following two headers:
   WWW-Authenticate: Basic realm="Realm"
   HTTP/1.x 401 Unauthorized

Then you are asked to insert your username/password for the basic auth.

But now comes the problem:
How can the PHP script determine if you have provided valid credentials?
The server variables PHP_AUTH_USER and PHP_AUTH_PW are populated independent of the result of the authentification defined in Apache.

I do explicitly not want to check the credentials in PHP - think of the many different auth-methods which could be configured with Apache.
Nor can the anonymous and authenticated parts be split in separate folders (to use separate .htaccess-files).

Is this goal even possible or is the only way to not allow anonymous access (but for replacement a dummy user like "guest" with no password) or implement the auth in PHP?

Any feedback is highly appreciated.

Thank you
Dirk

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux