Right, this is fairly obvious but we are trying to prevent apache from
sending the 'login' headers if successful authorization does not occur.  It
seems to me that to do this the handler will need to be moved up or down the
chain which can be unintuitive.

Thanks,

> > Has anybody got an idea how to let a handler decide, if autthen. is
> > required?
>
> You can do this via an access handler. For example, we use the access
> handler to see if the user is coming in from a trusted ip address. If they
> are then they are authorized to use the site. Otherwise, the user must
> login.
>
> The module looks like
>
> package TrustedAuth;
>
> ...
>
> sub access_handler {
>     my $r = shift;
>
>     if ( ... ) {
>         # Have a trusted host so don't ask user to login
>         $r->set_handlers( PerlAuthenHandler => [ \&OK ] );
>     }
>     return OK;
> }
>
> sub authen_handler {
>     # normal stuff here
> }
>
> 1;
>
> and my httpd.conf has
>
> PerlModule TrustedAuth
>
> <Location /secure>
>     AuthName "Secure"
>     AuthType basic
>     Require valid-user
>
>     PerlAccessHandler TrustedAuth::access_handler
>     PerlAuthenHandler TrustedAuth::authen_handler
> </Location>
>
> ---
> Andrew Gilmartin
> Senior Developer
> Ingenta
> [EMAIL PROTECTED]
> andrewgilmartin (aim)
> 401-743-3713 (cell)
>
>
>

Reply via email to