|
»
RE: Authentification
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
RE: Authentification
by Holger Zeinert-2
::
Rate this Message:
Hi Ronny,
some time ago (Apr 2006) we had a discussion on how to add access to user/password from the authentication of APACHE. Today I installed websh on a new server (upgrading to APACHE 2.2.10). I had some problems, which basically resulted from using web::response -httpresponse "HTTP/1.x 401" which worked fine with APACHE 2.0. Now it needs to be web::response -httpresponse "HTTP/1.0 401 Unauthorized" otherwise the response status will not make it to the browser. Instead "HTTP/1.0 200 OK" is sent, which is not triggering the user/password dialog in the browser. This seems to be in the APACHE part, at least I did not see anything in websh to do this. > > > > Any suggestions why it should (or not) be included? > > > > > > simple answer: it's available in > > > - Rivet > > > via $USER(user) / $USER(pass) > > > - PHP > > > via a variable $PHP_AUTH_USER / $PHP_AUTH_PW rsp. > > > $_SERVER['PHP_AUTH_USER'] / $_SERVER['PHP_AUTH_PW'], > > > see http://de3.php.net/manual/de/features.http-auth.php > > > > > > PHP mentions, that it only works if PHP is used as module. I > > > guess the same would apply to WebSH. If an external auth mechanism > > > was used, then REMOTE_USER is set and user/password is not > > > available for security reasons. > > You have me almost convinced :-) ... For this new installation I decided to use the newest version from SVN, also because there were some bugfixes with response and APACHE 2.2 reported. I sadly recognized, that the changes were not in (yet). Any plans to do so? However, I integrated your patch for 2.0 and it again works like a charm for me. Best regards Holger Holger Zeinert Product Development Manager LMS TecWare LMS Deutschland GmbH Test Division Luxemburger Str. 7 D-67657 Kaiserslautern [Germany] T +49 631 30322 223 M +49 163 4166 300 F +49 631 30322 166 mailto:holger.zeinert(a)lmsintl.com http://www.lmsintl.com ___________________________________________ LMS Deutschland GmbH Geschäftsführer: Heinz-Peter Vogt, Dr.-Ing. Urbain Vandeurzen Sitz: Kaiserslautern Registergericht: HRB Kaiserslautern 3706 --------------------------------------------------------------------- To unsubscribe, e-mail: websh-user-unsubscribe@... For additional commands, e-mail: websh-user-help@... |
|
|
Re: Authentification
by Ronnie Brunner
::
Rate this Message:
Hi Holger
> some time ago (Apr 2006) we had a discussion on how to add access to > user/password from the authentication of APACHE. Sure I remember. I actually have some uncommitted code lying around, but I never really made it work properly. If you accidentially followed my post on c.l.t two days ago: thats' one of those loose ends, I'd like to tie sometime ;-) > Today I installed websh on a new server (upgrading to APACHE 2.2.10). > I had some problems, which basically resulted from using > > web::response -httpresponse "HTTP/1.x 401" > > which worked fine with APACHE 2.0. Now it needs to be > > web::response -httpresponse "HTTP/1.0 401 Unauthorized" > > otherwise the response status will not make it to the > browser. Instead "HTTP/1.0 200 OK" is sent, which is not triggering > the user/password dialog in the browser. > This seems to be in the APACHE part, at least I did not see anything > in websh to do this. A similar problem was reported ercently about -httpresponse not working anymore. A workaround for pretty much any header to send seems web::response -set Status "401 $myResponseText" > > You have me almost convinced :-) ... > > For this new installation I decided to use the newest version from > SVN, also because there were some bugfixes with response and APACHE > 2.2 reported. I sadly recognized, that the changes were not in > (yet). Any plans to do so? As I wrote above: Plan: yes. Any time soon? I can't promise anything. I have another thing I want to commit first: load libwebsh.so/websh.dll from websh/websh.exe and mod_websh.so instead of statically linking the same object code to the various targets. (No functional change, but just a cleaner way to deploy, as the compiled code installed only once.) When this is done: I'll give it another try. > However, I integrated your patch for 2.0 and it again works like a > charm for me. Thanks for letting me kow :-) Cheers Ronnie -- Ronnie Brunner | ronnie.brunner@... phone +41-44-247 79 79 | fax +41-44-247 70 75 Netcetera AG | 8040 Zürich | Switzerland | http://netcetera.ch --------------------------------------------------------------------- To unsubscribe, e-mail: websh-user-unsubscribe@... For additional commands, e-mail: websh-user-help@... |
|
|
Re: Authentification
by Ronnie Brunner
::
Rate this Message:
Hi again
> > some time ago (Apr 2006) we had a discussion on how to add access to > > user/password from the authentication of APACHE. > > For this new installation I decided to use the newest version from > > SVN, also because there were some bugfixes with response and APACHE > > 2.2 reported. I sadly recognized, that the changes were not in > > (yet). Any plans to do so? I just committed some changes that expose Bais Auth user and password to Websh. (Aren't religious holidays like "Karfreitag" a wonderful thing for us developers with a daytime job? ;-) The new paragraphs from the (committed, but unpublished) quick reference (request_data_handling.html): ""Special case for handling Basic Auth: web::request AUTH_USER returns the username provided by the user when Basic Auth is requested and Apache does not handle it (i.e. if Apache does not provide REMOTE_USER). web::request AUTH_PW returns the password provided by the user when Basic Auth is requested and Apache does not handle it (i.e. if Apache does not provide REMOTE_USER). The following example provides a basic app that requires Basic Auth and completely bypasses Apache's auth mechanisms. Example 7. web::request AUTH_USER and web::request AUTH_PW # returns 1 if user/pass provided is websh/websh proc isAuthenticated {} { if {[web::request -count AUTH_USER]} { set user [web::request AUTH_USER] set pass [web::request AUTH_PW] if {[string eq $user "websh"] && [string eq $pass "websh"]} { return 1 } } return 0 } # the default command requests Basic Auth unless provided correctly web::command default { if {![isAuthenticated]} { web::response -set Status {401 Authorization Required} web::response -set WWW-Authenticate {Basic realm="Websh auth"} web::put "Sorry, you're out" } else { web::put "You're in" } } # command dispath web::dispatch Note: CGI usually does not expose the Basic Auth Authorization header for security reasons. The following configuration for Apache (as of version 2.0.51) will allow Websh to also provide the same functionality when running in CGI (requires mod_setenvif): Example 8. Apache configuration for AUTH_USER and AUTH_PW to work under CGI SetEnvIf Authorization "^(Basic .+)$" AUTH_BASIC=$1 Important security consideration: This configuration will also expose the authentication information to Websh when Apache does handle the authentication. Although Websh hides the information in that case it is always available in the CGI environment. Use this Configuration carefully."" If you ever find the time to play around with this let me know if it works for you. Best regards Ronnie -- Ronnie Brunner | ronnie.brunner@... phone +41-44-247 79 79 | fax +41-44-247 70 75 Netcetera AG | 8040 Zürich | Switzerland | http://netcetera.ch --------------------------------------------------------------------- To unsubscribe, e-mail: websh-user-unsubscribe@... For additional commands, e-mail: websh-user-help@... |
| Free embeddable forum powered by Nabble | Forum Help |
