You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Nick Kew <ni...@webthing.com> on 2010/09/09 01:00:43 UTC

Fake Basic Authentication

Someone asked on IRC today about seemlessly mixing SSL Client
authentication (FakeBasicAuth) with normal basic authn.
As I understood it, users without a client cert should authenticate, 
but those with one would be spared the authn dialogue.

A quick look at mod_ssl reveals that FakeBasicAuth sets r->user
in an Access hook, so it's set before authn.  So what the user
asks is trivial: all it needs is an authn provider that accepts
any request in which r->user is set.  I've just hacked up the
smallest-ever(?) module (attached) to do that.

This could also give users flexibility to mix-and-match basic
auth with other schemes in mod_rewrite style.  Or no doubt
shoot themselves in the foot.

Thoughts?

-- 
Nick Kew

Re: Fake Basic Authentication

Posted by Nick Kew <ni...@webthing.com>.

On Thu, 09 Sep 2010 16:51:00 +0200
Guenter Knauf <fu...@apache.org> wrote:

> Am 09.09.2010 01:00, schrieb Nick Kew:
> > Someone asked on IRC today about seemlessly mixing SSL Client
> > authentication (FakeBasicAuth) with normal basic authn.
> > As I understood it, users without a client cert should authenticate,
> > but those with one would be spared the authn dialogue.
> >
> > A quick look at mod_ssl reveals that FakeBasicAuth sets r->user
> > in an Access hook, so it's set before authn.  So what the user
> > asks is trivial: all it needs is an authn provider that accepts
> > any request in which r->user is set.  I've just hacked up the
> > smallest-ever(?) module (attached) to do that.
> >
> > This could also give users flexibility to mix-and-match basic
> > auth with other schemes in mod_rewrite style.  Or no doubt
> > shoot themselves in the foot.
> >
> > Thoughts?
> isnt this already something similar?
> http://sourceforge.net/projects/modauthcertific/

Looking at that, I see it implements its own protocol and hooks,
including changing r->ap_auth_type on-the-fly.  I could be wrong,
but it doesn't look like something that'll integrate well with
mod_auth_basic and authn providers.

-- 
Nick Kew

Re: Fake Basic Authentication

Posted by Guenter Knauf <fu...@apache.org>.

Am 09.09.2010 01:00, schrieb Nick Kew:
> Someone asked on IRC today about seemlessly mixing SSL Client
> authentication (FakeBasicAuth) with normal basic authn.
> As I understood it, users without a client cert should authenticate,
> but those with one would be spared the authn dialogue.
>
> A quick look at mod_ssl reveals that FakeBasicAuth sets r->user
> in an Access hook, so it's set before authn.  So what the user
> asks is trivial: all it needs is an authn provider that accepts
> any request in which r->user is set.  I've just hacked up the
> smallest-ever(?) module (attached) to do that.
>
> This could also give users flexibility to mix-and-match basic
> auth with other schemes in mod_rewrite style.  Or no doubt
> shoot themselves in the foot.
>
> Thoughts?
isnt this already something similar?
http://sourceforge.net/projects/modauthcertific/

Gün.

RE: Fake Basic Authentication

Posted by "Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>.

 

> -----Original Message-----
> From: Nick Kew 
> Sent: Donnerstag, 9. September 2010 01:01
> To: dev@httpd.apache.org
> Subject: Fake Basic Authentication
> 
> Someone asked on IRC today about seemlessly mixing SSL Client
> authentication (FakeBasicAuth) with normal basic authn.
> As I understood it, users without a client cert should authenticate, 
> but those with one would be spared the authn dialogue.

You confuse me. Doesn't this already work with Basic Auth if the user
that presents the certificate is registered in the Authn provider
with the password 'password'?
Of course this also means that if someone knows the username in the
certificate of one of the users he can log in WITHOUT certificate
using the username and 'password' (provided that client certs are not
mandatory of course).
Maybe it would be helpful to post an example configuration snippet
to be sure that we are really talking about the same thing.


> 
> A quick look at mod_ssl reveals that FakeBasicAuth sets r->user
> in an Access hook, so it's set before authn.  So what the user

In the case that FakeBasicAuth is turned on r->user is not set
by mod_ssl. In this case it only adds a fake Basic auth header
to r->headers_in in ssl_hook_UserCheck (which is the same hook that
mod_auth_basic runs in but earlier) and leaves the job of setting
r->user to mod_auth_basic.

Regards

Rüdiger

Re: Fake Basic Authentication

Posted by Eric Covener <co...@gmail.com>.

> This could also give users flexibility to mix-and-match basic
> auth with other schemes in mod_rewrite style.  Or no doubt
> shoot themselves in the foot.

Seems to me like it does wonders for FakeBasicAuth usability.

Does it make sense to move the mockup of the Authorization header into
mod_authn_fake, or give it a better way to signal to the auth modules
not to challenge?

-- 
Eric Covener
covener@gmail.com