You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Dirk Thomas / 4wd media <di...@4wdmedia.de> on 2010/04/14 23:03:02 UTC

[users@httpd] users@httpd.apache.org

Hi,

i have a problem with Authentification.
I currently doubt that it is possible at all.
Perhaps someone can enlighten me how to achive the goal or confirm that it is not reachable.

The scenario is to achieve a mixed authentication/anonymous access similar as described for Subversion (see http://svnbook.red-bean.com/nightly/de/svn-book.html#svn.serverconfig.httpd.authz.perdir.ex-3).

Therefore the ".htaccess" looks something like that:
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName "Realm"
    AuthUserFile "/some/path/.htusers"
    require valid-user
    Satisfy any

Additionally a PHP script is inside the same folder.
When you now browse to the URL of the PHP script, you can access it without any credentials requested.

At some point the PHP script "decides" that authentification is required (e.g. when passing a param like "?access-secret=1"). Therefore it sends the following two headers:
    WWW-Authenticate: Basic realm="Realm"
    HTTP/1.x 401 Unauthorized

Then you are asked to insert your username/password for the basic auth.

But now comes the problem:
How can the PHP script determine if you have provided valid credentials?
The server variables PHP_AUTH_USER and PHP_AUTH_PW are populated independent of the result of the authentification defined in Apache.

I do explicitly not want to check the credentials in PHP - think of the many different auth-methods which could be configured with Apache.
Nor can the anonymous and authenticated parts be split in separate folders (to use separate .htaccess-files).

Is this goal even possible or is the only way to not allow anonymous access (but for replacement a dummy user like "guest" with no password) or implement the auth in PHP?

Any feedback is highly appreciated.

Thank you
Dirk

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org