> I will try it (over the weekend...). ... couldn't wait.
I had to modify your patch a bit to make it work with APACHE2. It does work
now, however I'm not sure whether it is completely correct. See attached the
modified version.
The proc to decode is this:
proc DecodeAuth {arrName} {
package require base64
upvar $arrName USER
set USER(user) ""
set USER(pass) ""
set data [web::request AUTHORIZATION]
if {[lindex $data 0] == "Basic"} {
# we only handle Basic Auth at the moment
set dataList [split [::base64::decode [lindex $data 1]] ":"]
set USER(user) [lindex $dataList 0]
set USER(pass) [lindex $dataList 1]
}
return
}
So, thanks a lot for your help!
Have a nice weekend.
Holger
> -----Original Message-----
> From: Holger Zeinert [mailto:[EMAIL PROTECTED]
> Sent: Friday, April 28, 2006 5:26 PM
> To: 'Ronnie Brunner'
> Cc: 'websh-user'
> Subject: RE: Authentification
>
>
> Thanks for your quick help! I will try it (over the weekend...).
>
> > Any suggestions why it should (or not) be included?
>
> simple answer: it's available in
> - Rivet
> via $USER(user) / $USER(pass)
> - PHP
> via a variable $PHP_AUTH_USER / $PHP_AUTH_PW rsp.
> $_SERVER['PHP_AUTH_USER'] / $_SERVER['PHP_AUTH_PW'],
> see http://de3.php.net/manual/de/features.http-auth.php
>
> PHP mentions, that it only works if PHP is used as module. I
> guess the same
> would apply to WebSH. If an external auth mechanism was used, then
> REMOTE_USER is set and user/password is not available for
> security reasons.
>
> Regards
> Holger
>
>
>
>
> > -----Original Message-----
> > From: Ronnie Brunner [mailto:[EMAIL PROTECTED]
> > Sent: Friday, April 28, 2006 5:05 PM
> > To: Holger Zeinert
> > Cc: 'websh-user'
> > Subject: Re: Authentification
> >
> >
> > Hi Holger
> >
> > > Now I have one problems, which I got solved using mod_dtcl
> > and Rivet, that
> > > is to handle authentification in the Tcl-part. In mod_dtcl
> > and Rivet you
> > > have access to the username and password supplied by the
> brower. So,
> > > assuming I would have access to user/password as
> > USER(user)/USER(password)
> > > in websh, I could create a page like this:
> >
> > Mhhh. The authorization is not exposed because Apache
> explicitly hides
> > it for security reasons. That's why we didn't think it would be
> > necessary to expose it in Websh. On the other hand: your
> approach was
> > one I was many times tempted to use :-)
> >
> > The following patch will give you at least a chance to
> setup your app
> > as desired:
> >
> > --- src/generic/request_ap.c (revision 378313)
> > +++ src/generic/request_ap.c (working copy)
> > @@ -92,5 +92,20 @@
> >
> > paramListSetAsWhole(requestData->request, "GATEWAY_INTERFACE",
> > Tcl_NewStringObj("CGI-websh/1.1", -1));
> > +
> > + {
> > + char *val;
> > + Tcl_Obj *valo = NULL;
> > +
> > + /* Check to see if a Authorization header is there */
> > + val = (char *)ap_table_get( r->headers_in, "Authorization" );
> > + if (val) {
> > + valo = Tcl_NewStringObj(val, -1);
> > + if (paramListAdd(requestData->request,
> > "AUTHORIZATION", valo) != TCL_OK)
> > + /* fatal case */
> > + return TCL_ERROR;
> > + }
> > + }
> > +
> > return TCL_OK;
> > }
> >
> >
> > It will expose the original Authorization header sent by the
> > browser. A more complicated patch would be needed to actually decode
> > user and pass from the base64 encoded value. Like this,
> you'll have to
> > change your code to create a USER(user) and USER(password) variable
> > from [web::request AUTHORIZATION].
> >
> > >
> > > web::command default {
> >
> > #Here you'll have to call a proc (to be written :-) like
> >
> > DecodeAuth USER
> >
> > #or similar
> >
> > > if {[info exists USER]} {
> > > if {[checkUserPassword $USER(user)
> > $USER(password)]}
> > > {
> > > showPage
> > > } else {
> > > showError "sorry, wrong user/password"
> > > }
> > > } else {
> > > web::response -httpresponse 401
> >
> > #This should be:
> > web::response -httpresponse "HTTP/1.x 401"
> >
> > > web::response -set WWW-Authenticate \
> > > "Basic realm=\"My Domain\""
> > > }
> > > }
> > > web::dispatch
> >
> > For a real patch to Websh, it should really decode user and pass and
> > setting it into specific request variables, but I'm still
> not sure if
> > it's a good idea since it's a security hole, cause every page editor
> > can then steal users and passwords.
> >
> > Any suggestions why it should (or not) be included?
> >
> > hth
> > Ronnie
> > --
> > 10 Jahre Netcetera - die Zukunft im Visier
> >
> > Ronnie Brunner | [EMAIL PROTECTED]
> > phone +41 (0)44 247 79 79 | fax +41 (0)44 247 70 75
> > Netcetera AG | 8040 Zürich | Switzerland | http://netcetera.ch
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
request_ap.c
Description: Binary data
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
