All,
I work at a large university where some faculty/staff need a way to
only allow students to view certain web pages. Here at the university we
have a central authentication system (based on kerberos) that has been
extended to the browser. Basically the you login via SSL to a machine that
hands you a cookie. Then you go to a secured page where my perl module
verifies that cookie against one of the authentication servers. If you are
authenticated then the modules sets the connection to your user name
($r->connection->user('USERNAME')) and you get to view the page otherwise
you are redirected to the login server (which later redirects you back) to
get a valid cookie.
The authentication works beautifully but authorization seems to
fails. If I have a "require user joe" in an .htaccess file and you are not
joe then apache reverts to basic authentication which makes the browser
bring up the popup box to authenticate. What I would like to do is not have
that popup box come up but instead have some message that tells the user
that they are not authorized for the current url. The only solution that I
could think of was to write a PerlAuthzHandler that mimics apache's built
in authorization but there has got to be a better way. Thanks.
--
Eli Ben Shoshan ([EMAIL PROTECTED])
North East Regional Data Center (NERDC)
