[users@httpd] Single Sign-On to Virtual Hosts

[David Knecht <da...@anyweb.ch>]

This is probably a rather simple question related to single sign-on to 
virtual hosts. Although I did some research I need some advice that 
points me to the right direction...

This is the environment:

Virtual host A; Allowed users: administrator, user_a
Virtual host B; Allowed users: administrator, user_b
Virtual host C; Allowed users: administrator, user_a, user_c

I'd like to create an administrator account using Apache's basic 
authentication feature. Whenever the administrator is successfully 
authenticated to one of these virtual hosts then no additional 
authentication/login should be required when accessing the other virtual 
hosts. The same applies to non-administrator users. Here, every 
individual user is allowed to login only to explicitely assigned virtual 
hosts.

I am currently using this type of authentication definitions in every 
single virtual host container of my test setup:

...
	<Location "/xyz">
	        AuthType Basic
	        AuthName "Virtual Host A"
		AuthUserFile /etc/httpd/virtual_host_a_htpasswd
	        Require valid-user
	</Location>
...

Every virtual host container is currently using its own AuthUserFile. I 
assume that using one single AuthUserFile (/etc/httpd/htpasswd) for all 
user definitions as well as "Require administrator user_a" etc. on every 
individual virtual host is the way to go. However, I did not manage to 
make the single sign-on work so far...

I am using Apache 2.0.52.

Thanks for your help, David


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: Single Sign-On to Virtual Hosts

[David Knecht <da...@anyweb.ch>]

Joshua Slive wrote:
> On 3/28/06, Joost de Heer <sa...@xs4all.nl> wrote:
>> David Knecht wrote:
>>> This is probably a rather simple question related to single sign-on to
>>> virtual hosts. Although I did some research I need some advice that
>>> points me to the right direction...
>>>
>>> This is the environment:
>>>
>>> Virtual host A; Allowed users: administrator, user_a
>>> Virtual host B; Allowed users: administrator, user_b
>>> Virtual host C; Allowed users: administrator, user_a, user_c
>>>
>>> I'd like to create an administrator account using Apache's basic
>>> authentication feature. Whenever the administrator is successfully
>>> authenticated to one of these virtual hosts then no additional
>>> authentication/login should be required when accessing the other virtual
>>> hosts. The same applies to non-administrator users. Here, every
>>> individual user is allowed to login only to explicitely assigned virtual
>>> hosts.
>>>
>>> I am currently using this type of authentication definitions in every
>>> single virtual host container of my test setup:
>>>
>>> ...
>>>       <Location "/xyz">
>>>               AuthType Basic
>>>               AuthName "Virtual Host A"
>>>               AuthUserFile /etc/httpd/virtual_host_a_htpasswd
>>>               Require valid-user
>>>       </Location>
>>> ...
>>>
>>> Every virtual host container is currently using its own AuthUserFile. I
>>> assume that using one single AuthUserFile (/etc/httpd/htpasswd) for all
>>> user definitions as well as "Require administrator user_a" etc. on every
>>> individual virtual host is the way to go. However, I did not manage to
>>> make the single sign-on work so far...
>> Something like this:
>>
>> - Have all vhosts use the same AuthName
>> - Make a groups file with groups 'vhosta', 'vhostb' etc, and fill the
>> group with the members that may use that vhost
>> - require membership of the proper authgroup.
>>
>> Once you start using different authnames, you can forget SSO, since a
>> different realm will be used for different vhosts.
> 
> Different hosts will require a new prompt regardless of the AuthName. 
> Otherwise you could easily steal passwords from other sites just by
> copying their AuthName.
> 
> So the punchline is that it is impossible to do SSO across different
> hosts with http basic auth.  You need to use another technique to
> manage sessions like cookies or special URLs.
> 
> Joshua.

Thanks. I guess I am going to give http://idcheck.sourceforge.net/ a try.

David


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: Single Sign-On to Virtual Hosts

[Joshua Slive <jo...@slive.ca>]

On 3/28/06, Joost de Heer <sa...@xs4all.nl> wrote:
> David Knecht wrote:
> > This is probably a rather simple question related to single sign-on to
> > virtual hosts. Although I did some research I need some advice that
> > points me to the right direction...
> >
> > This is the environment:
> >
> > Virtual host A; Allowed users: administrator, user_a
> > Virtual host B; Allowed users: administrator, user_b
> > Virtual host C; Allowed users: administrator, user_a, user_c
> >
> > I'd like to create an administrator account using Apache's basic
> > authentication feature. Whenever the administrator is successfully
> > authenticated to one of these virtual hosts then no additional
> > authentication/login should be required when accessing the other virtual
> > hosts. The same applies to non-administrator users. Here, every
> > individual user is allowed to login only to explicitely assigned virtual
> > hosts.
> >
> > I am currently using this type of authentication definitions in every
> > single virtual host container of my test setup:
> >
> > ...
> >       <Location "/xyz">
> >               AuthType Basic
> >               AuthName "Virtual Host A"
> >               AuthUserFile /etc/httpd/virtual_host_a_htpasswd
> >               Require valid-user
> >       </Location>
> > ...
> >
> > Every virtual host container is currently using its own AuthUserFile. I
> > assume that using one single AuthUserFile (/etc/httpd/htpasswd) for all
> > user definitions as well as "Require administrator user_a" etc. on every
> > individual virtual host is the way to go. However, I did not manage to
> > make the single sign-on work so far...
>
> Something like this:
>
> - Have all vhosts use the same AuthName
> - Make a groups file with groups 'vhosta', 'vhostb' etc, and fill the
> group with the members that may use that vhost
> - require membership of the proper authgroup.
>
> Once you start using different authnames, you can forget SSO, since a
> different realm will be used for different vhosts.

Different hosts will require a new prompt regardless of the AuthName. 
Otherwise you could easily steal passwords from other sites just by
copying their AuthName.

So the punchline is that it is impossible to do SSO across different
hosts with http basic auth.  You need to use another technique to
manage sessions like cookies or special URLs.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: Single Sign-On to Virtual Hosts

[Joost de Heer <sa...@xs4all.nl>]

David Knecht wrote:
> This is probably a rather simple question related to single sign-on to
> virtual hosts. Although I did some research I need some advice that
> points me to the right direction...
>
> This is the environment:
>
> Virtual host A; Allowed users: administrator, user_a
> Virtual host B; Allowed users: administrator, user_b
> Virtual host C; Allowed users: administrator, user_a, user_c
>
> I'd like to create an administrator account using Apache's basic
> authentication feature. Whenever the administrator is successfully
> authenticated to one of these virtual hosts then no additional
> authentication/login should be required when accessing the other virtual
> hosts. The same applies to non-administrator users. Here, every
> individual user is allowed to login only to explicitely assigned virtual
> hosts.
>
> I am currently using this type of authentication definitions in every
> single virtual host container of my test setup:
>
> ...
> 	<Location "/xyz">
> 	        AuthType Basic
> 	        AuthName "Virtual Host A"
> 		AuthUserFile /etc/httpd/virtual_host_a_htpasswd
> 	        Require valid-user
> 	</Location>
> ...
>
> Every virtual host container is currently using its own AuthUserFile. I
> assume that using one single AuthUserFile (/etc/httpd/htpasswd) for all
> user definitions as well as "Require administrator user_a" etc. on every
> individual virtual host is the way to go. However, I did not manage to
> make the single sign-on work so far...

Something like this:

- Have all vhosts use the same AuthName
- Make a groups file with groups 'vhosta', 'vhostb' etc, and fill the
group with the members that may use that vhost
- require membership of the proper authgroup.

Once you start using different authnames, you can forget SSO, since a
different realm will be used for different vhosts.

Joost


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org