You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Joost de Heer <sa...@xs4all.nl> on 2006/03/28 18:19:22 UTC
[users@httpd] Re: Single Sign-On to Virtual Hosts
David Knecht wrote:
> This is probably a rather simple question related to single sign-on to
> virtual hosts. Although I did some research I need some advice that
> points me to the right direction...
>
> This is the environment:
>
> Virtual host A; Allowed users: administrator, user_a
> Virtual host B; Allowed users: administrator, user_b
> Virtual host C; Allowed users: administrator, user_a, user_c
>
> I'd like to create an administrator account using Apache's basic
> authentication feature. Whenever the administrator is successfully
> authenticated to one of these virtual hosts then no additional
> authentication/login should be required when accessing the other virtual
> hosts. The same applies to non-administrator users. Here, every
> individual user is allowed to login only to explicitely assigned virtual
> hosts.
>
> I am currently using this type of authentication definitions in every
> single virtual host container of my test setup:
>
> ...
> <Location "/xyz">
> AuthType Basic
> AuthName "Virtual Host A"
> AuthUserFile /etc/httpd/virtual_host_a_htpasswd
> Require valid-user
> </Location>
> ...
>
> Every virtual host container is currently using its own AuthUserFile. I
> assume that using one single AuthUserFile (/etc/httpd/htpasswd) for all
> user definitions as well as "Require administrator user_a" etc. on every
> individual virtual host is the way to go. However, I did not manage to
> make the single sign-on work so far...
Something like this:
- Have all vhosts use the same AuthName
- Make a groups file with groups 'vhosta', 'vhostb' etc, and fill the
group with the members that may use that vhost
- require membership of the proper authgroup.
Once you start using different authnames, you can forget SSO, since a
different realm will be used for different vhosts.
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Single Sign-On to Virtual Hosts
Posted by David Knecht <da...@anyweb.ch>.
Joshua Slive wrote:
> On 3/28/06, Joost de Heer <sa...@xs4all.nl> wrote:
>> David Knecht wrote:
>>> This is probably a rather simple question related to single sign-on to
>>> virtual hosts. Although I did some research I need some advice that
>>> points me to the right direction...
>>>
>>> This is the environment:
>>>
>>> Virtual host A; Allowed users: administrator, user_a
>>> Virtual host B; Allowed users: administrator, user_b
>>> Virtual host C; Allowed users: administrator, user_a, user_c
>>>
>>> I'd like to create an administrator account using Apache's basic
>>> authentication feature. Whenever the administrator is successfully
>>> authenticated to one of these virtual hosts then no additional
>>> authentication/login should be required when accessing the other virtual
>>> hosts. The same applies to non-administrator users. Here, every
>>> individual user is allowed to login only to explicitely assigned virtual
>>> hosts.
>>>
>>> I am currently using this type of authentication definitions in every
>>> single virtual host container of my test setup:
>>>
>>> ...
>>> <Location "/xyz">
>>> AuthType Basic
>>> AuthName "Virtual Host A"
>>> AuthUserFile /etc/httpd/virtual_host_a_htpasswd
>>> Require valid-user
>>> </Location>
>>> ...
>>>
>>> Every virtual host container is currently using its own AuthUserFile. I
>>> assume that using one single AuthUserFile (/etc/httpd/htpasswd) for all
>>> user definitions as well as "Require administrator user_a" etc. on every
>>> individual virtual host is the way to go. However, I did not manage to
>>> make the single sign-on work so far...
>> Something like this:
>>
>> - Have all vhosts use the same AuthName
>> - Make a groups file with groups 'vhosta', 'vhostb' etc, and fill the
>> group with the members that may use that vhost
>> - require membership of the proper authgroup.
>>
>> Once you start using different authnames, you can forget SSO, since a
>> different realm will be used for different vhosts.
>
> Different hosts will require a new prompt regardless of the AuthName.
> Otherwise you could easily steal passwords from other sites just by
> copying their AuthName.
>
> So the punchline is that it is impossible to do SSO across different
> hosts with http basic auth. You need to use another technique to
> manage sessions like cookies or special URLs.
>
> Joshua.
Thanks. I guess I am going to give http://idcheck.sourceforge.net/ a try.
David
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Single Sign-On to Virtual Hosts
Posted by Joshua Slive <jo...@slive.ca>.
On 3/28/06, Joost de Heer <sa...@xs4all.nl> wrote:
> David Knecht wrote:
> > This is probably a rather simple question related to single sign-on to
> > virtual hosts. Although I did some research I need some advice that
> > points me to the right direction...
> >
> > This is the environment:
> >
> > Virtual host A; Allowed users: administrator, user_a
> > Virtual host B; Allowed users: administrator, user_b
> > Virtual host C; Allowed users: administrator, user_a, user_c
> >
> > I'd like to create an administrator account using Apache's basic
> > authentication feature. Whenever the administrator is successfully
> > authenticated to one of these virtual hosts then no additional
> > authentication/login should be required when accessing the other virtual
> > hosts. The same applies to non-administrator users. Here, every
> > individual user is allowed to login only to explicitely assigned virtual
> > hosts.
> >
> > I am currently using this type of authentication definitions in every
> > single virtual host container of my test setup:
> >
> > ...
> > <Location "/xyz">
> > AuthType Basic
> > AuthName "Virtual Host A"
> > AuthUserFile /etc/httpd/virtual_host_a_htpasswd
> > Require valid-user
> > </Location>
> > ...
> >
> > Every virtual host container is currently using its own AuthUserFile. I
> > assume that using one single AuthUserFile (/etc/httpd/htpasswd) for all
> > user definitions as well as "Require administrator user_a" etc. on every
> > individual virtual host is the way to go. However, I did not manage to
> > make the single sign-on work so far...
>
> Something like this:
>
> - Have all vhosts use the same AuthName
> - Make a groups file with groups 'vhosta', 'vhostb' etc, and fill the
> group with the members that may use that vhost
> - require membership of the proper authgroup.
>
> Once you start using different authnames, you can forget SSO, since a
> different realm will be used for different vhosts.
Different hosts will require a new prompt regardless of the AuthName.
Otherwise you could easily steal passwords from other sites just by
copying their AuthName.
So the punchline is that it is impossible to do SSO across different
hosts with http basic auth. You need to use another technique to
manage sessions like cookies or special URLs.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org