You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rodent of Unusual Size <CO...@PROCESS.COM> on 1997/11/25 18:16:00 UTC
Re: denying access without challenging?
>From the fingers of Dean Gaudet flowed the following:
>
>On Tue, 25 Nov 1997, Michael Smith wrote:
>
>> It is possible in apache to deny access to users without actually
>> prompting them for a username/password.
>
>No. There's no magic way for the browser to divine that it's really being
>used by a valid-user except for it to ask the user for their password.
Unless, of course, you can do it at a lower level using
nondiscretionary controls - like IP addresses. But if you need to
involve discretionary controls like usernames and passwords, Dean's
right.
#ken P-)}
Re: denying access without challenging?
Posted by Dean Gaudet <dg...@arctic.org>.
On Tue, 25 Nov 1997, Michael Smith wrote:
> I would expect the user to be challenged, and maybe the server would accept the
> challenge but still not let them see the page. Hmm, the more I think about it the
> more complicated it becomes ...
Oh, that's not what I thought you were asking. I thought you were asking
how to avoid putting up the password dialogue in the first place.
What you want is possible, but not without modifying the code. You'd have
to modify the module to return some bogus auth failed code, and detect
that later in the die() routine, and print a different error message and
fix the status to be a valid auth failed code.
Dean
Re: denying access without challenging?
Posted by Michael Smith <mj...@iii.co.uk>.
I'm not sure I have explained what I'd like to do as clearly as I could have done!
I don't appear to be very good at that side of things sometimes :-(
I would expect the user to be challenged, and maybe the server would accept the
challenge but still not let them see the page. Hmm, the more I think about it the
more complicated it becomes ...
it'd be lsomething ike this
Page 1
require valid-user
link to Page 2
Page 2
require group gp
Such that the users who can see page 2 (those in group gp) are a subset of those
who can see page 1. I guess what I want to see is somthing like
Page 2
require valid-user
if (! group gp) print_up_some_other_page
if you get my meaning.
Hope we're talking about doing the same sort of thing here.
Mike
Dean Gaudet wrote:
> REMOTE_USER is set by the authentication code. i.e. you can't divine its
> value unless the user has been challenged.
>
> Dean
Re: denying access without challenging?
Posted by Dean Gaudet <dg...@arctic.org>.
REMOTE_USER is set by the authentication code. i.e. you can't divine its
value unless the user has been challenged.
Dean
On Tue, 25 Nov 1997, Michael Smith wrote:
> Rodent of Unusual Size wrote:
>
> > Unless, of course, you can do it at a lower level using
> > nondiscretionary controls - like IP addresses. But if you need to
> > involve discretionary controls like usernames and passwords, Dean's
> > right.
> >
> > #ken P-)}
>
> Well you could do it with usernames with mod_rewrite by doing something like
>
> RewriteCond %{REMOTE_USER} !fred
> RewriteRule (.*) /notallowed.html
>
> But of course this means inserting the members of a group in to an htaccess
> file which would be unacceptable. An alternative which might well work would
> be to use some clever RewriteMap script which consulted the authentication
> files itself, but this would be really messy!
>
> Mike
>
>
>
Re: denying access without challenging?
Posted by Michael Smith <mj...@iii.co.uk>.
Rodent of Unusual Size wrote:
> Unless, of course, you can do it at a lower level using
> nondiscretionary controls - like IP addresses. But if you need to
> involve discretionary controls like usernames and passwords, Dean's
> right.
>
> #ken P-)}
Well you could do it with usernames with mod_rewrite by doing something like
RewriteCond %{REMOTE_USER} !fred
RewriteRule (.*) /notallowed.html
But of course this means inserting the members of a group in to an htaccess
file which would be unacceptable. An alternative which might well work would
be to use some clever RewriteMap script which consulted the authentication
files itself, but this would be really messy!
Mike