You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by "J. J. Horner" <jh...@2jnetworks.com> on 2001/09/18 15:51:06 UTC
ANNOUNCE: Starting work on Apache::RedirectUnless
I have need of a module that will redirect to https anytime
basic authentication is required.
I figure the best way to do this is to step in at the authentication
phase, and should authentication be required and the method be http,
redirect to https for any and all basic authentication traffic. Perhaps
after this, redirect to http, if desired.
Any comments or suggestions?
Thanks,
JJ
--
J. J. Horner
"H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
***************************************************
"H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
Freedom is an all-or-nothing proposition: either we
are completely free, or we are subjects of a
tyrannical system. If we lose one freedom in a
thousand, we become completely subjugated.
Re: ANNOUNCE: Starting work on Apache::RedirectUnless
Posted by Vivek Khera <kh...@kcilink.com>.
>>>>> "JJH" == J J Horner <jh...@2jnetworks.com> writes:
JJH> I have need of a module that will redirect to https anytime
JJH> basic authentication is required.
JJH> I figure the best way to do this is to step in at the authentication
JJH> phase, and should authentication be required and the method be http,
JJH> redirect to https for any and all basic authentication traffic. Perhaps
JJH> after this, redirect to http, if desired.
JJH> Any comments or suggestions?
The problem here is that once you're authenticated via basic auth,
your ID/password is passed on *every* request back to that server. I
don't think you can distinguish easily when it is not needed any more
to redirect to the non-secured server.
What I do in one of my applications is to use Apache::AuthCookie and
set the cookie to not require a secure connection. Then I use
mod_rewrite to shuttle people back and forth so I don't need to
hard-code the full URL in all the pages.
Something like this:
# handle static content directly in whatever mode
RewriteRule \.(gif|jpg|png|css|txt|pdf|cgi|html|js|ico)$ - [last]
# make sure we're in SSL mode when inside register or manage, and not
# SSL mode otherwise, except for images. Those need to be the same.
RewriteRule ^/(manage|register)/(.*) https://%{SERVER_NAME}/$1/$2 [last]
and in the SSL virtual-host context:
# handle static content directly in whatever mode
RewriteRule \.(gif|jpg|png|css|txt|pdf|cgi|html|js|ico)$ - [last]
# leave alone manage* and register/* requests, and the special LOGIN/OUT
# locations, and the redirector until we're done redirecting
RewriteCond %{REQUEST_URI} !^/(rd$|LOG|manage|register/)
RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [nosubreq,last]
This fails if you POST to a url that should be https from a non-https
page if you don't hard-code the URL to go directly to the https
variant.
This makes web design quite easy, and links are all relative, etc.
The cost is one redirect on the switchover.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D. Khera Communications, Inc.
Internet: khera@kciLink.com Rockville, MD +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/
Re: ANNOUNCE: Starting work on Apache::RedirectUnless
Posted by "J. J. Horner" <jh...@2jnetworks.com>.
* Mithun Bhattacharya (mithun.b@egurucool.com) [010919 03:40]:
> Stephen Adkins wrote:
>
> > Is there an easier way to safeguard against Apache prompting for
> > a password over HTTP?
>
> You could keep the secure areas outside the HTTP document root ?? Just a
> different DocumentRoot for HTTPS in your VirtualHost or separate
> httpd.conf.
>
>
>
> Mithun
Well, one solution we were looking at was using two document roots,
and linking those directories/apps certified clean to the http docroot.
The problem with this is that we have two virtual hosts, same name, different
ports (http and https) that basically need to have the same information,
with the difference of redirecting some things to the https virtual host if
the directory/app is not certified clean by us. This makes for a very long,
very intricate Redirect list and each time we need to add to it, we would have
to start and stop the server.
I figured a more elegant method would be to have the webserver redirect if
an .htaccess is present. The only way I can figure on doing this effectively
would be a mod_perl module. So, I'm going to write one.
Thanks,
JJ
--
J. J. Horner
"H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
***************************************************
"H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
Freedom is an all-or-nothing proposition: either we
are completely free, or we are subjects of a
tyrannical system. If we lose one freedom in a
thousand, we become completely subjugated.
Re: ANNOUNCE: Starting work on Apache::RedirectUnless
Posted by Mithun Bhattacharya <mi...@egurucool.com>.
Stephen Adkins wrote:
> Is there an easier way to safeguard against Apache prompting for
> a password over HTTP?
You could keep the secure areas outside the HTTP document root ?? Just a
different DocumentRoot for HTTPS in your VirtualHost or separate
httpd.conf.
Mithun
Re: ANNOUNCE: Starting work on Apache::RedirectUnless
Posted by Jimmy <en...@fldna.net>.
On Tue, Sep 18, 2001 at 04:08:30PM -0400, Stephen Adkins wrote:
> Hi,
>
> I have been following this thread with interest because I have been
> struggling with the same problem. I define it this way.
>
> * To achieve secure authentication which is widely supported, you need
> to use Basic authentication over SSL
> * All URLs which can be accessed with HTTPS can be accessed with HTTP
> * I secure certain directories with .htaccess and all of the links
> in my site which point to them are via HTTPS, so as long as people
> always follow the links, they will never transfer the password
> in clear text (essentially) over the network using HTTP.
> * However, if they type the URL directly into the browser and they
> *forget* to use "https" but rather use "http", their password
> is exposed to network sniffers.
Do just like mod_proxy_add_forward.c but forward the port also.
/* fixup */
ap_table_set(r->headers_in, "X-Port", ap_psprintf(r->pool, "%u",
r->server->port ? r->server->port : ap_default_port(r)));
# PerlPost
my $forwarded_port = $r->header_in('X-Port');
if ($forwarded_port != 443)
{
# do something
} else {
# do this
}
Just a thought ....
Jimmy
RE: ANNOUNCE: Starting work on Apache::RedirectUnless
Posted by Christian Gilmore <cg...@tivoli.com>.
Redirects in the non-secure virtual host to the secure virtual host would
certainly do the trick. The module does have value (better name would be
Apache::AuthRedirect, IMO), but it would be built for people to be lazy
about their configurations.
Regards,
Christian
----------------------
Christian Gilmore
Team Lead
Web Infrastructure & Tools
IBM Software Group
> -----Original Message-----
> From: Stephen Adkins [mailto:stephen.adkins@officevision.com]
> Sent: Tuesday, September 18, 2001 3:09 PM
> To: cag@us.ibm.com; modperl@apache.org
> Subject: RE: ANNOUNCE: Starting work on Apache::RedirectUnless
>
>
> Hi,
>
> I have been following this thread with interest because I have been
> struggling with the same problem. I define it this way.
>
> * To achieve secure authentication which is widely
> supported, you need
> to use Basic authentication over SSL
> * All URLs which can be accessed with HTTPS can be accessed with HTTP
> * I secure certain directories with .htaccess and all of the links
> in my site which point to them are via HTTPS, so as long as people
> always follow the links, they will never transfer the password
> in clear text (essentially) over the network using HTTP.
> * However, if they type the URL directly into the browser and they
> *forget* to use "https" but rather use "http", their password
> is exposed to network sniffers.
>
> I think that it was to solve this problem that J.J.Horner suggested
> the module. Any request to a secured area using HTTP would be
> automatically redirected to the same URL with HTTPS instead.
> Thus, the browser would never, ever be prompted to surrender the
> authentication credentials (password) in the clear over HTTP.
>
> Thus, I see great value to JJ's suggested module.
>
> Is there an easier way to safeguard against Apache prompting for
> a password over HTTP?
>
> Stephen
>
> At 01:41 PM 9/18/2001 -0500, Christian Gilmore wrote:
> >A realm is defined by the following three things:
> >
> >1) AuthName
> >2) ServerName (well, the server name in the URL actually)
> >3) Port (well, the port to which the browser is talking)
> >
> >If these three things are not always the same, the browser
> will prompt the
> >user to re-authenticate. So, you cannot authenticate a user
> on your https
> >port and magically expect that information to be passed by
> the browser to
> >your http port. You'd have to do application-layer session
> handling with
> >some kind of shared information across services. There are security
> >implications to consider here...
> >
> >Regards,
> >Christian
> >
> >> -----Original Message-----
> >> From: 'J. J. Horner' [mailto:jhorner@2jnetworks.com]
> >> Sent: Tuesday, September 18, 2001 12:01 PM
> >> To: cag@us.ibm.com
> >> Cc: modperl@apache.org
> >> Subject: Re: ANNOUNCE: Starting work on Apache::RedirectUnless
> >>
> >>
> >> The problem with that solution is that we have 2 virtual
> >> hosts, one http, one https, on one
> >> machine. https is the only available transport outside of
> >> our network, while the http
> >> server is available internally.
> >>
> >> This is a production webserver, with existing information,
> >> applications, etc. We don't
> >> want to redesign our existing setup just to move content to a
> >> secure virtualhost when
> >> someone wants to authenticate. This approach allows us to
> >> keep things from the developer
> >> side very transparent. Developers can continue to maintain
> >> and create as usual, with the
> >> added step of a login being transferred by https method.
> >>
> >> If I were designing a server from scratch, I would plan
> >> better, but since we are trying
> >> to implement encrypted basic authentication after the server,
> >> sites, applications are in place,
> >> we have to work around them.
> >>
> >> With the AuthName set to one value across the server, we may
> >> be able to prevent too many logins.
> >>
> >> We need to keep the same content on both virtualhosts as much
> >> as possible.
> >>
> >> Ideas? Comments?
> >>
> >> Thanks,
> >> JJ
> >>
> >>
> >> * Christian Gilmore (cgilmore@tivoli.com) [010918 11:36]:
> >> > Putting it into the auth phase would be appropriate, but I
> >> have to wonder
> >> > why this module is needed other than to refrain from keeping your
> >> > configuration file clean. Your unsecure virtual host should
> >> have no auth
> >> > statements in it if you want all auth to be on your secure
> >> virtual host...
> >> >
> >> > You'll need to have your entire session where you want
> the user to
> >> > authenticate on the same virtual host, else the user will
> >> be prompted
> >> > multiple times or you will have a security gap if you're
> >> leaving it all up
> >> > to the service layer.
> >> >
> >> > Regards,
> >> > Christian
> >> >
> >> > > -----Original Message-----
> >> > > From: J. J. Horner [mailto:jhorner@2jnetworks.com]
> >> > > Sent: Tuesday, September 18, 2001 8:51 AM
> >> > > To: modperl@apache.org
> >> > > Subject: ANNOUNCE: Starting work on Apache::RedirectUnless
> >> > >
> >> > >
> >> > > I have need of a module that will redirect to https anytime
> >> > > basic authentication is required.
> >> > >
> >> > > I figure the best way to do this is to step in at the
> >> authentication
> >> > > phase, and should authentication be required and the
> >> method be http,
> >> > > redirect to https for any and all basic authentication
> >> > > traffic. Perhaps
> >> > > after this, redirect to http, if desired.
> >> > >
> >> > > Any comments or suggestions?
> >> > >
> >> > > Thanks,
> >> > > JJ
> >> > >
> >> > > --
> >> > > J. J. Horner
> >> > > "H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
> >> > > ***************************************************
> >> > > "H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
> >> > >
> >> > > Freedom is an all-or-nothing proposition: either we
> >> > > are completely free, or we are subjects of a
> >> > > tyrannical system. If we lose one freedom in a
> >> > > thousand, we become completely subjugated.
> >> > >
> >>
> >> --
> >> J. J. Horner
> >> "H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
> >> ***************************************************
> >> "H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
> >>
> >> Freedom is an all-or-nothing proposition: either we
> >> are completely free, or we are subjects of a
> >> tyrannical system. If we lose one freedom in a
> >> thousand, we become completely subjugated.
> >>
> >
> >
> >
>
RE: ANNOUNCE: Starting work on Apache::RedirectUnless
Posted by Stephen Adkins <st...@officevision.com>.
Hi,
I have been following this thread with interest because I have been
struggling with the same problem. I define it this way.
* To achieve secure authentication which is widely supported, you need
to use Basic authentication over SSL
* All URLs which can be accessed with HTTPS can be accessed with HTTP
* I secure certain directories with .htaccess and all of the links
in my site which point to them are via HTTPS, so as long as people
always follow the links, they will never transfer the password
in clear text (essentially) over the network using HTTP.
* However, if they type the URL directly into the browser and they
*forget* to use "https" but rather use "http", their password
is exposed to network sniffers.
I think that it was to solve this problem that J.J.Horner suggested
the module. Any request to a secured area using HTTP would be
automatically redirected to the same URL with HTTPS instead.
Thus, the browser would never, ever be prompted to surrender the
authentication credentials (password) in the clear over HTTP.
Thus, I see great value to JJ's suggested module.
Is there an easier way to safeguard against Apache prompting for
a password over HTTP?
Stephen
At 01:41 PM 9/18/2001 -0500, Christian Gilmore wrote:
>A realm is defined by the following three things:
>
>1) AuthName
>2) ServerName (well, the server name in the URL actually)
>3) Port (well, the port to which the browser is talking)
>
>If these three things are not always the same, the browser will prompt the
>user to re-authenticate. So, you cannot authenticate a user on your https
>port and magically expect that information to be passed by the browser to
>your http port. You'd have to do application-layer session handling with
>some kind of shared information across services. There are security
>implications to consider here...
>
>Regards,
>Christian
>
>> -----Original Message-----
>> From: 'J. J. Horner' [mailto:jhorner@2jnetworks.com]
>> Sent: Tuesday, September 18, 2001 12:01 PM
>> To: cag@us.ibm.com
>> Cc: modperl@apache.org
>> Subject: Re: ANNOUNCE: Starting work on Apache::RedirectUnless
>>
>>
>> The problem with that solution is that we have 2 virtual
>> hosts, one http, one https, on one
>> machine. https is the only available transport outside of
>> our network, while the http
>> server is available internally.
>>
>> This is a production webserver, with existing information,
>> applications, etc. We don't
>> want to redesign our existing setup just to move content to a
>> secure virtualhost when
>> someone wants to authenticate. This approach allows us to
>> keep things from the developer
>> side very transparent. Developers can continue to maintain
>> and create as usual, with the
>> added step of a login being transferred by https method.
>>
>> If I were designing a server from scratch, I would plan
>> better, but since we are trying
>> to implement encrypted basic authentication after the server,
>> sites, applications are in place,
>> we have to work around them.
>>
>> With the AuthName set to one value across the server, we may
>> be able to prevent too many logins.
>>
>> We need to keep the same content on both virtualhosts as much
>> as possible.
>>
>> Ideas? Comments?
>>
>> Thanks,
>> JJ
>>
>>
>> * Christian Gilmore (cgilmore@tivoli.com) [010918 11:36]:
>> > Putting it into the auth phase would be appropriate, but I
>> have to wonder
>> > why this module is needed other than to refrain from keeping your
>> > configuration file clean. Your unsecure virtual host should
>> have no auth
>> > statements in it if you want all auth to be on your secure
>> virtual host...
>> >
>> > You'll need to have your entire session where you want the user to
>> > authenticate on the same virtual host, else the user will
>> be prompted
>> > multiple times or you will have a security gap if you're
>> leaving it all up
>> > to the service layer.
>> >
>> > Regards,
>> > Christian
>> >
>> > > -----Original Message-----
>> > > From: J. J. Horner [mailto:jhorner@2jnetworks.com]
>> > > Sent: Tuesday, September 18, 2001 8:51 AM
>> > > To: modperl@apache.org
>> > > Subject: ANNOUNCE: Starting work on Apache::RedirectUnless
>> > >
>> > >
>> > > I have need of a module that will redirect to https anytime
>> > > basic authentication is required.
>> > >
>> > > I figure the best way to do this is to step in at the
>> authentication
>> > > phase, and should authentication be required and the
>> method be http,
>> > > redirect to https for any and all basic authentication
>> > > traffic. Perhaps
>> > > after this, redirect to http, if desired.
>> > >
>> > > Any comments or suggestions?
>> > >
>> > > Thanks,
>> > > JJ
>> > >
>> > > --
>> > > J. J. Horner
>> > > "H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
>> > > ***************************************************
>> > > "H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
>> > >
>> > > Freedom is an all-or-nothing proposition: either we
>> > > are completely free, or we are subjects of a
>> > > tyrannical system. If we lose one freedom in a
>> > > thousand, we become completely subjugated.
>> > >
>>
>> --
>> J. J. Horner
>> "H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
>> ***************************************************
>> "H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
>>
>> Freedom is an all-or-nothing proposition: either we
>> are completely free, or we are subjects of a
>> tyrannical system. If we lose one freedom in a
>> thousand, we become completely subjugated.
>>
>
>
>
RE: ANNOUNCE: Starting work on Apache::RedirectUnless
Posted by Christian Gilmore <cg...@tivoli.com>.
A realm is defined by the following three things:
1) AuthName
2) ServerName (well, the server name in the URL actually)
3) Port (well, the port to which the browser is talking)
If these three things are not always the same, the browser will prompt the
user to re-authenticate. So, you cannot authenticate a user on your https
port and magically expect that information to be passed by the browser to
your http port. You'd have to do application-layer session handling with
some kind of shared information across services. There are security
implications to consider here...
Regards,
Christian
> -----Original Message-----
> From: 'J. J. Horner' [mailto:jhorner@2jnetworks.com]
> Sent: Tuesday, September 18, 2001 12:01 PM
> To: cag@us.ibm.com
> Cc: modperl@apache.org
> Subject: Re: ANNOUNCE: Starting work on Apache::RedirectUnless
>
>
> The problem with that solution is that we have 2 virtual
> hosts, one http, one https, on one
> machine. https is the only available transport outside of
> our network, while the http
> server is available internally.
>
> This is a production webserver, with existing information,
> applications, etc. We don't
> want to redesign our existing setup just to move content to a
> secure virtualhost when
> someone wants to authenticate. This approach allows us to
> keep things from the developer
> side very transparent. Developers can continue to maintain
> and create as usual, with the
> added step of a login being transferred by https method.
>
> If I were designing a server from scratch, I would plan
> better, but since we are trying
> to implement encrypted basic authentication after the server,
> sites, applications are in place,
> we have to work around them.
>
> With the AuthName set to one value across the server, we may
> be able to prevent too many logins.
>
> We need to keep the same content on both virtualhosts as much
> as possible.
>
> Ideas? Comments?
>
> Thanks,
> JJ
>
>
> * Christian Gilmore (cgilmore@tivoli.com) [010918 11:36]:
> > Putting it into the auth phase would be appropriate, but I
> have to wonder
> > why this module is needed other than to refrain from keeping your
> > configuration file clean. Your unsecure virtual host should
> have no auth
> > statements in it if you want all auth to be on your secure
> virtual host...
> >
> > You'll need to have your entire session where you want the user to
> > authenticate on the same virtual host, else the user will
> be prompted
> > multiple times or you will have a security gap if you're
> leaving it all up
> > to the service layer.
> >
> > Regards,
> > Christian
> >
> > > -----Original Message-----
> > > From: J. J. Horner [mailto:jhorner@2jnetworks.com]
> > > Sent: Tuesday, September 18, 2001 8:51 AM
> > > To: modperl@apache.org
> > > Subject: ANNOUNCE: Starting work on Apache::RedirectUnless
> > >
> > >
> > > I have need of a module that will redirect to https anytime
> > > basic authentication is required.
> > >
> > > I figure the best way to do this is to step in at the
> authentication
> > > phase, and should authentication be required and the
> method be http,
> > > redirect to https for any and all basic authentication
> > > traffic. Perhaps
> > > after this, redirect to http, if desired.
> > >
> > > Any comments or suggestions?
> > >
> > > Thanks,
> > > JJ
> > >
> > > --
> > > J. J. Horner
> > > "H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
> > > ***************************************************
> > > "H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
> > >
> > > Freedom is an all-or-nothing proposition: either we
> > > are completely free, or we are subjects of a
> > > tyrannical system. If we lose one freedom in a
> > > thousand, we become completely subjugated.
> > >
>
> --
> J. J. Horner
> "H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
> ***************************************************
> "H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
>
> Freedom is an all-or-nothing proposition: either we
> are completely free, or we are subjects of a
> tyrannical system. If we lose one freedom in a
> thousand, we become completely subjugated.
>
Re: ANNOUNCE: Starting work on Apache::RedirectUnless
Posted by "'J. J. Horner'" <jh...@2jnetworks.com>.
The problem with that solution is that we have 2 virtual hosts, one http, one https, on one
machine. https is the only available transport outside of our network, while the http
server is available internally.
This is a production webserver, with existing information, applications, etc. We don't
want to redesign our existing setup just to move content to a secure virtualhost when
someone wants to authenticate. This approach allows us to keep things from the developer
side very transparent. Developers can continue to maintain and create as usual, with the
added step of a login being transferred by https method.
If I were designing a server from scratch, I would plan better, but since we are trying
to implement encrypted basic authentication after the server, sites, applications are in place,
we have to work around them.
With the AuthName set to one value across the server, we may be able to prevent too many logins.
We need to keep the same content on both virtualhosts as much as possible.
Ideas? Comments?
Thanks,
JJ
* Christian Gilmore (cgilmore@tivoli.com) [010918 11:36]:
> Putting it into the auth phase would be appropriate, but I have to wonder
> why this module is needed other than to refrain from keeping your
> configuration file clean. Your unsecure virtual host should have no auth
> statements in it if you want all auth to be on your secure virtual host...
>
> You'll need to have your entire session where you want the user to
> authenticate on the same virtual host, else the user will be prompted
> multiple times or you will have a security gap if you're leaving it all up
> to the service layer.
>
> Regards,
> Christian
>
> > -----Original Message-----
> > From: J. J. Horner [mailto:jhorner@2jnetworks.com]
> > Sent: Tuesday, September 18, 2001 8:51 AM
> > To: modperl@apache.org
> > Subject: ANNOUNCE: Starting work on Apache::RedirectUnless
> >
> >
> > I have need of a module that will redirect to https anytime
> > basic authentication is required.
> >
> > I figure the best way to do this is to step in at the authentication
> > phase, and should authentication be required and the method be http,
> > redirect to https for any and all basic authentication
> > traffic. Perhaps
> > after this, redirect to http, if desired.
> >
> > Any comments or suggestions?
> >
> > Thanks,
> > JJ
> >
> > --
> > J. J. Horner
> > "H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
> > ***************************************************
> > "H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
> >
> > Freedom is an all-or-nothing proposition: either we
> > are completely free, or we are subjects of a
> > tyrannical system. If we lose one freedom in a
> > thousand, we become completely subjugated.
> >
--
J. J. Horner
"H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
***************************************************
"H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
Freedom is an all-or-nothing proposition: either we
are completely free, or we are subjects of a
tyrannical system. If we lose one freedom in a
thousand, we become completely subjugated.
RE: ANNOUNCE: Starting work on Apache::RedirectUnless
Posted by Christian Gilmore <cg...@tivoli.com>.
Putting it into the auth phase would be appropriate, but I have to wonder
why this module is needed other than to refrain from keeping your
configuration file clean. Your unsecure virtual host should have no auth
statements in it if you want all auth to be on your secure virtual host...
You'll need to have your entire session where you want the user to
authenticate on the same virtual host, else the user will be prompted
multiple times or you will have a security gap if you're leaving it all up
to the service layer.
Regards,
Christian
> -----Original Message-----
> From: J. J. Horner [mailto:jhorner@2jnetworks.com]
> Sent: Tuesday, September 18, 2001 8:51 AM
> To: modperl@apache.org
> Subject: ANNOUNCE: Starting work on Apache::RedirectUnless
>
>
> I have need of a module that will redirect to https anytime
> basic authentication is required.
>
> I figure the best way to do this is to step in at the authentication
> phase, and should authentication be required and the method be http,
> redirect to https for any and all basic authentication
> traffic. Perhaps
> after this, redirect to http, if desired.
>
> Any comments or suggestions?
>
> Thanks,
> JJ
>
> --
> J. J. Horner
> "H*","6d6174686c696e40326a6e6574776f726b732e636f6d"
> ***************************************************
> "H*","6a6a686f726e65724062656c6c736f7574682e6e6574"
>
> Freedom is an all-or-nothing proposition: either we
> are completely free, or we are subjects of a
> tyrannical system. If we lose one freedom in a
> thousand, we become completely subjugated.
>