Thanks to the list and two days of hard work, I have my optional HTTP
authentication thingie working :-)
Basically here is how it looks in my apache config file:
# This method handler ensures that users must enter their credentials
# for any URI which looks like /foo/bar/login.html
<LocationMatch ".*/login.html$">
AuthName "MKDoc Login"
AuthType Basic
PerlAuthenHandler MKDoc::Auth::SQL_HTTP->handler
require valid-user
</LocationMatch>
# This method handler affects the whole site, it sets the
# $ENV{REMOTE_USER} variable if the credentials have been sent, or
# leave it undef otherwise.
<Location />
PerlFixupHandler
MKDoc::Auth::SQL_HTTP->handler_opt
</Location>
# if the user successfully logged in when hitting a /foo/bar/login.html
# location, then we want to redirect him where he came from
<LocationMatch ".*/login.html$">
SetHandler perl-script
PerlHandler
MKDoc::Auth::SQL_HTTP->handler_redirect
require valid-user
</LocationMatch>
<more perl handlers here>
* Now if you go to /properties.html BEFORE sending the credentials,
* You're redirected to /login.html?from=/properties.html where you login,
* Which redirects you to /properties.html... but this time your browser
sends the credentials!
This is interesting because it's up to the handlers to decide wether
they need authentication or not and does non depend on the location.
> More important is the fact that if a page does not require authentication,
> the users login and password will not be sent. So a page like index.html that
> is not normally authenticated will not receive the username, and no
> <a href="/admin">Admin this page</a> will be possible.
This is not true, once you've entered the credentials on /login.html the
browsers send them everywhere. Tested under Opera (Linux), Mozilla
(Linux) and IE from version 3 to version 6 (Windows), IE 3 (Mac),
Netscape 4 (Mac).
One exception: links :-(. But the browser support seems to be there...
In the future I plan to have some kind of hybrid handler which would
accept either HTTP credentials OR a cookie... that would be cool :-)
> I'm not 100% sure this is possible without the use of cookies. I'm pretty sure
> you could write some custom handler to handle the auth, but without a cookie
> to note which users have authenticated, you might be out of luck.
Well I seem to have done it, so it must be possible thanks to you guys
;-)))). I will send the code to anyone who's interested but I don't want
to post it to the list because I suspect that most people aren't.
Thank you everyone,
Cheers,
--
IT'S TIME FOR A DIFFERENT KIND OF WEB
================================================================
Jean-Michel Hiver - Software Director
[EMAIL PROTECTED]
+44 (0)114 255 8097
================================================================
VISIT HTTP://WWW.MKDOC.COM
