Thanks for your quick help! I will try it (over the weekend...).
> Any suggestions why it should (or not) be included?
simple answer: it's available in
- Rivet
via $USER(user) / $USER(pass)
- PHP
via a variable $PHP_AUTH_USER / $PHP_AUTH_PW rsp.
$_SERVER['PHP_AUTH_USER'] / $_SERVER['PHP_AUTH_PW'],
see http://de3.php.net/manual/de/features.http-auth.php
PHP mentions, that it only works if PHP is used as module. I guess the same
would apply to WebSH. If an external auth mechanism was used, then
REMOTE_USER is set and user/password is not available for security reasons.
Regards
Holger
> -----Original Message-----
> From: Ronnie Brunner [mailto:[EMAIL PROTECTED]
> Sent: Friday, April 28, 2006 5:05 PM
> To: Holger Zeinert
> Cc: 'websh-user'
> Subject: Re: Authentification
>
>
> Hi Holger
>
> > Now I have one problems, which I got solved using mod_dtcl
> and Rivet, that
> > is to handle authentification in the Tcl-part. In mod_dtcl
> and Rivet you
> > have access to the username and password supplied by the brower. So,
> > assuming I would have access to user/password as
> USER(user)/USER(password)
> > in websh, I could create a page like this:
>
> Mhhh. The authorization is not exposed because Apache explicitly hides
> it for security reasons. That's why we didn't think it would be
> necessary to expose it in Websh. On the other hand: your approach was
> one I was many times tempted to use :-)
>
> The following patch will give you at least a chance to setup your app
> as desired:
>
> --- src/generic/request_ap.c (revision 378313)
> +++ src/generic/request_ap.c (working copy)
> @@ -92,5 +92,20 @@
>
> paramListSetAsWhole(requestData->request, "GATEWAY_INTERFACE",
> Tcl_NewStringObj("CGI-websh/1.1", -1));
> +
> + {
> + char *val;
> + Tcl_Obj *valo = NULL;
> +
> + /* Check to see if a Authorization header is there */
> + val = (char *)ap_table_get( r->headers_in, "Authorization" );
> + if (val) {
> + valo = Tcl_NewStringObj(val, -1);
> + if (paramListAdd(requestData->request,
> "AUTHORIZATION", valo) != TCL_OK)
> + /* fatal case */
> + return TCL_ERROR;
> + }
> + }
> +
> return TCL_OK;
> }
>
>
> It will expose the original Authorization header sent by the
> browser. A more complicated patch would be needed to actually decode
> user and pass from the base64 encoded value. Like this, you'll have to
> change your code to create a USER(user) and USER(password) variable
> from [web::request AUTHORIZATION].
>
> >
> > web::command default {
>
> #Here you'll have to call a proc (to be written :-) like
>
> DecodeAuth USER
>
> #or similar
>
> > if {[info exists USER]} {
> > if {[checkUserPassword $USER(user)
> $USER(password)]}
> > {
> > showPage
> > } else {
> > showError "sorry, wrong user/password"
> > }
> > } else {
> > web::response -httpresponse 401
>
> #This should be:
> web::response -httpresponse "HTTP/1.x 401"
>
> > web::response -set WWW-Authenticate \
> > "Basic realm=\"My Domain\""
> > }
> > }
> > web::dispatch
>
> For a real patch to Websh, it should really decode user and pass and
> setting it into specific request variables, but I'm still not sure if
> it's a good idea since it's a security hole, cause every page editor
> can then steal users and passwords.
>
> Any suggestions why it should (or not) be included?
>
> hth
> Ronnie
> --
> 10 Jahre Netcetera - die Zukunft im Visier
>
> Ronnie Brunner | [EMAIL PROTECTED]
> phone +41 (0)44 247 79 79 | fax +41 (0)44 247 70 75
> Netcetera AG | 8040 Zürich | Switzerland | http://netcetera.ch
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
