Hi Geoffrey, Thanks for your helpful comments. I appreciate any help I can get...
I understand that Apache isn't IIS. I don't use Apache, but some of our customers are, so I'm trying to make sure our product works with Apache. It's not been an easy road to make the ISAPI extension work, but it does work well now after doing a bunch of minor tweaks... with this exception which is really our issue, but an Apache issue. So... I'm trying to understand whether Apache even supports application driven Basic Authentication. It seems odd that this should be difficult to do - I've worked with a fair number of Web Servers over the yaers and this the first time I've run into a situation where the Web Server does not auto negotiate the protocol when enabled in a directory. But then most other Windows Web Servers use the built-in OS security to manage directory level authentication. I definitely think this is a *Dev* issue because it is after all about trying to force Authentication not through the file/directory system but from within an application. While it may be a configuration setting that's involved, it would seem developers would have a clue how to set this up more likely than an admin. All the discussion I've seen so far seems to center around authenticating against resources in the file system, which works as expected. But Basic Auth as a protocol is not bound to the file system. So my question is how do I make Apache pass through all requests to my application *and* authenticate the applications Basic Auth negotiation when I ask for it with a 401 header? > that isn't how Apache works, really. or http for that > matter. you can send a 401 response/WWW-Authenticate header I don't know about how Apache works (obviously <g>), but in HTTP it's supposed to wokrk like this: HTTP 401 works by sending an auth header and the browser responding with a response header that contains the username and password (which is taken from the login dialog box). It's normally the Web Server's job to validate the user at that point and then set the HTTP_AUTHORIZATION server variable if the user can be authenticated. Apache does all that but only against its files, not against application generated requests. With my Application generated requests it basically interjects itself but doesn't process or forward the browser's Auth information. So you get a situation where there's no hook. This is a fairly common task in Web applications... I get the feeling Apache can't do this at least not without writing custom auth (which would be preferred anyway, but this is a generic tool and people want use Web Server integrated security from their own applications). Anyway if I do this inside of my <directory> tag: AuthType Basic Require valid-user Allow From All Satisfy Any AuthName "Authorized Users Only" AuthUserFile d:/passwords.txt All requests are going through and my Auth requests for 401 Authentication are not validated and fail. If I remove: Allow From All Satisfy Any Then *every* request is authenticated and Apache handles it but only on the file level. I do apologize for my ignorance on Apache - as stated this is not my primary tool and that's why I'm asking <g>. I've spent a fair amount of time trying to google info on this subject but I've come up pretty much blank. I'm more than happy to dig if there are any pointers where to look. What I've found in the docs and via Google all deals with file based permissions... TIA, +++ Rick --- Rick Strahl West Wind Technologies http://www.west-wind.com/ http://www.west-wind.com/wwThreads ---------------------------------- Making waves on the Web > -----Original Message----- > From: Geoffrey Young [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 23, 2004 4:52 AM > To: dev@httpd.apache.org > Subject: Re: Apache and Application driven Basic Auth > > > > Rick Strahl wrote: > > Thanks Geoff, > > > > > >>I think you need a Require directive > > > > > > Yes I do <g>... but as soon as I put a Require in there it tries to > > validate every request into the directory. > > yes it does :) > > > This is not what's requried. > > > > I need conditional authentication that's generated through > the application. > > I can do this with my own implementation of course, but it seems > > Apache should allow me to do this under program control. > IIS handles > > this no problem... > > Apache isn't IIS :) > > > > > There's an update to where I'm at here: > > > > http://west-wind.com/weblog/posts/1211.aspx > > > > I now at least have Authentication working, but it's still not what > > I'd like to see for the app server with users getting the > ability to > > simply ask for auth from within the application by sending > a 401 header. > > that isn't how Apache works, really. or http for that > matter. you can send a 401 response/WWW-Authenticate header > to your browser, and the browser will send an appropriate > Authorization header, but on the next request. _that_ > incoming request needs to be authenticated, and the way > apache does that is via the authen/authz phases. without the > Require directive those phases won't be run, so no > authentication will take place. > > so, typically what you need to do for conditional > authentication is apply the Require directive to enable > authentication, then _disable_ auth for the requests that > don't require it. one way is to use the Satisfy directive > with the "Any" option and code your access phase according to > your specifications. > > anyway, at this point the conversation doesn't really belong > on [EMAIL PROTECTED] since this is a developer list and you're having > a user/config issue. you might want to try #apache on > irc.freenode.net for more pointers. > > HTH > > --Geoff >
