[users@httpd] interested in how to get the new mod_auth_form module to work

[Dennis Clarke]

I see that the new mod_auth_form module should provide a better
looking way to do the same old thing : login to Apache. So I
ensured that I had this in my httpd.conf :
LoadModule auth_form_module modules/mod_auth_form.so

I then wanted to try AuthFormLogoutLocation and put in this Location :


<Location /logout>
    SetHandler form-logout-handler
    AuthFormLogoutLocation https://my.server.com/logged_out.html
    Session on
</Location>

This is taken directly from the docs at :

http://httpd.apache.org/docs/current/mod/mod_auth_form.html#authformlogoutlocation

I am able then to go see my server-info via this :

<Location /server-info>
    SetHandler server-info
    AuthType basic
    AuthName "someauthnamehere"
    AuthBasicProvider file
    AuthUserFile /usr/local/www/conf/.htpasswd
    AuthGroupFile /usr/local/www/conf/.htgroup

    Require group webadmin

</Location>

Which shows me that indeed the module is loaded and I have the following 
config :


Module Name: mod_auth_form.c
Content handlers: yes
Configuration Phase Participation: Create Directory Config, Merge 
Directory Configs
Request Phase Participation: Verify User ID, Note Authentication 
Failure, Content Handlers
Module Directives:
    AuthFormProvider - specify the auth providers for a directory or 
location
    AuthFormUsername - The field of the login form carrying the username
    AuthFormPassword - The field of the login form carrying the password
    AuthFormLocation - The field of the login form carrying the URL to 
redirect on successful login.
    AuthFormMethod - The field of the login form carrying the original 
request method.
    AuthFormMimetype - The field of the login form carrying the 
original request mimetype.
    AuthFormBody - The field of the login form carrying the urlencoded 
original request body.
    AuthFormSize - Maximum size of body parsed by the form parser
    AuthFormLoginRequiredLocation - If set, redirect the browser to 
this URL rather than return 401 Not Authorized.
    AuthFormLoginSuccessLocation - If set, redirect the browser to this 
URL when a login processed by the login handler is successful.
    AuthFormLogoutLocation - The URL of the logout successful page. An 
attempt to access an URL handled by the handler form-logout-handler will 
result in an redirect to this page after logout.
    AuthFormSitePassphrase - If set, use this passphrase to determine 
whether the user should be authenticated. Bypasses the user 
authentication check on every website hit, and is useful for high 
traffic sites.
    AuthFormAuthoritative - Set to 'Off' to allow access control to be 
passed along to lower modules if the UserID is not known to this module
    AuthFormFakeBasicAuth - Set to 'On' to pass through authentication 
to the rest of the server as a basic authentication header.
    AuthFormDisableNoStore - Set to 'on' to stop the sending of a 
Cache-Control no-store header with the login screen. This allows the 
browser to cache the credentials, but at the risk of it being possible 
for the login form to be resubmitted and revealed to the backend server 
through XSS. Use at own risk.
Current Configuration:
    In file: /usr/local/www/conf/httpd.conf
     110: <Location /logout>
     112:   AuthFormLogoutLocation https://my.server.com/logged_out.html
        : </Location>
     129: <Directory "/usr/local/apache/www/data/htdocs/testfolder">
     130:   AuthFormProvider file
        : </Directory>


Not much I know but I wanted to start simply.

Well when I try to go to that location /logout I get a big ol' Server 
Error 401 Unauthorized
which is a bit odd given that I am in fact logged in or I could not see 
the Location
for server-info.

So what am I missing here ?

Do I need to specify a pile of auth requirements in order to allow logout ?

Something like this :


    AuthType basic
    AuthName "someauthnamehere"
    AuthBasicProvider file
    AuthUserFile /usr/local/www/conf/.htpasswd
    AuthGroupFile /usr/local/www/conf/.htgroup

    Require validuser

    AuthFormLogoutLocation https://my.server.com/logged_out.html

    Session on


?  Seems counter intuitive to need a user to login in order to allow logout
via the handler form-logout-handler.

What am I missing .. besides everything :-\

Dennis

ps: Apache 2.4.4 here

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org