RE: Fake Basic Authentication
-Original Message- From: Nick Kew Sent: Donnerstag, 9. September 2010 01:01 To: dev@httpd.apache.org Subject: Fake Basic Authentication Someone asked on IRC today about seemlessly mixing SSL Client authentication (FakeBasicAuth) with normal basic authn. As I understood it, users without a client cert should authenticate, but those with one would be spared the authn dialogue. You confuse me. Doesn't this already work with Basic Auth if the user that presents the certificate is registered in the Authn provider with the password 'password'? Of course this also means that if someone knows the username in the certificate of one of the users he can log in WITHOUT certificate using the username and 'password' (provided that client certs are not mandatory of course). Maybe it would be helpful to post an example configuration snippet to be sure that we are really talking about the same thing. A quick look at mod_ssl reveals that FakeBasicAuth sets r-user in an Access hook, so it's set before authn. So what the user In the case that FakeBasicAuth is turned on r-user is not set by mod_ssl. In this case it only adds a fake Basic auth header to r-headers_in in ssl_hook_UserCheck (which is the same hook that mod_auth_basic runs in but earlier) and leaves the job of setting r-user to mod_auth_basic. Regards Rüdiger
Re: Fake Basic Authentication
Am 09.09.2010 01:00, schrieb Nick Kew: Someone asked on IRC today about seemlessly mixing SSL Client authentication (FakeBasicAuth) with normal basic authn. As I understood it, users without a client cert should authenticate, but those with one would be spared the authn dialogue. A quick look at mod_ssl reveals that FakeBasicAuth sets r-user in an Access hook, so it's set before authn. So what the user asks is trivial: all it needs is an authn provider that accepts any request in which r-user is set. I've just hacked up the smallest-ever(?) module (attached) to do that. This could also give users flexibility to mix-and-match basic auth with other schemes in mod_rewrite style. Or no doubt shoot themselves in the foot. Thoughts? isnt this already something similar? http://sourceforge.net/projects/modauthcertific/ Gün.
Re: Fake Basic Authentication
On Thu, 09 Sep 2010 16:51:00 +0200 Guenter Knauf fua...@apache.org wrote: Am 09.09.2010 01:00, schrieb Nick Kew: Someone asked on IRC today about seemlessly mixing SSL Client authentication (FakeBasicAuth) with normal basic authn. As I understood it, users without a client cert should authenticate, but those with one would be spared the authn dialogue. A quick look at mod_ssl reveals that FakeBasicAuth sets r-user in an Access hook, so it's set before authn. So what the user asks is trivial: all it needs is an authn provider that accepts any request in which r-user is set. I've just hacked up the smallest-ever(?) module (attached) to do that. This could also give users flexibility to mix-and-match basic auth with other schemes in mod_rewrite style. Or no doubt shoot themselves in the foot. Thoughts? isnt this already something similar? http://sourceforge.net/projects/modauthcertific/ Looking at that, I see it implements its own protocol and hooks, including changing r-ap_auth_type on-the-fly. I could be wrong, but it doesn't look like something that'll integrate well with mod_auth_basic and authn providers. -- Nick Kew
Fake Basic Authentication
Someone asked on IRC today about seemlessly mixing SSL Client authentication (FakeBasicAuth) with normal basic authn. As I understood it, users without a client cert should authenticate, but those with one would be spared the authn dialogue. A quick look at mod_ssl reveals that FakeBasicAuth sets r-user in an Access hook, so it's set before authn. So what the user asks is trivial: all it needs is an authn provider that accepts any request in which r-user is set. I've just hacked up the smallest-ever(?) module (attached) to do that. This could also give users flexibility to mix-and-match basic auth with other schemes in mod_rewrite style. Or no doubt shoot themselves in the foot. Thoughts? -- Nick Kew/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the License); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an AS IS BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include httpd.h #include http_request.h #include http_config.h #include ap_provider.h #include mod_auth.h module AP_MODULE_DECLARE_DATA authn_fake_module; static authn_status check_fake(request_rec *r, const char *u, const char *p) { return (r-user == NULL) ? AUTH_USER_NOT_FOUND : AUTH_GRANTED; } static void register_hooks(apr_pool_t *p) { static const authn_provider authn_fake_provider = { check_fake, NULL, }; #if AP_MODULE_MAGIC_AT_LEAST(2010,0) ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, fake, AUTHN_PROVIDER_VERSION, authn_fake_provider, AP_AUTH_INTERNAL_PER_CONF); #else ap_register_provider(p, AUTHN_PROVIDER_GROUP, fake, 0, authn_fake_provider); #endif } #if AP_MODULE_MAGIC_AT_LEAST(2010,0) AP_DECLARE_MODULE(authn_fake) = #else module AP_MODULE_DECLARE_DATA authn_fake_module = #endif { STANDARD20_MODULE_STUFF, NULL, NULL, NULL, NULL, NULL, register_hooks };
Re: Fake Basic Authentication
This could also give users flexibility to mix-and-match basic auth with other schemes in mod_rewrite style. Or no doubt shoot themselves in the foot. Seems to me like it does wonders for FakeBasicAuth usability. Does it make sense to move the mockup of the Authorization header into mod_authn_fake, or give it a better way to signal to the auth modules not to challenge? -- Eric Covener cove...@gmail.com