You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/05/01 00:10:22 UTC
DO NOT REPLY [Bug 19502] New: -
Cannot tell how my password is being authenticated
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19502>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19502
Cannot tell how my password is being authenticated
Summary: Cannot tell how my password is being authenticated
Product: Apache httpd-1.3
Version: 1.3.23
Platform: All
OS/Version: Linux
Status: NEW
Severity: Enhancement
Priority: Other
Component: Auth/Access
AssignedTo: bugs@httpd.apache.org
ReportedBy: James@a-le.co.uk
My university allows students to create pages that can be restricted so that
only registered students can view the page (the Apache server can be set to use
authentication over kerberos). They also offer the web page authors the ability
to deliver pages over a secure sockets layer (https) connection. Together these
two facilities allow authors to make pages that I am happy to view using my
university login.
The users can also cause my browser to prompt me for a password using basic or
digest autentication and there is no way for me to know which it is. The
problem is that I do not trust the users who make the web pages and the
authentication method determines whether or not they can see my password.
I would like the httpd to have a configuration option that appends to the realm
'Kerberos: ' if that method of authentication is used and something like 'Not
Kerberos: ', 'Basic: ' or 'Digest: ' if one of the other methods is used. I can
then enter my password knowing that the author of the page does not see my
authentication secret.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org