You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/05/01 00:10:22 UTC

DO NOT REPLY [Bug 19502] New: - Cannot tell how my password is being authenticated

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19502>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19502

Cannot tell how my password is being authenticated

           Summary: Cannot tell how my password is being authenticated
           Product: Apache httpd-1.3
           Version: 1.3.23
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: Auth/Access
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: James@a-le.co.uk


My university allows students to create pages that can be restricted so that
only registered students can view the page (the Apache server can be set to use
authentication over kerberos).  They also offer the web page authors the ability
to deliver pages over a secure sockets layer (https) connection.  Together these
two facilities allow authors to make pages that I am happy to view using my
university login.

The users can also cause my browser to prompt me for a password using basic or
digest autentication and there is no way for me to know which it is.  The
problem is that I do not trust the users who make the web pages and the
authentication method determines whether or not they can see my password.

I would like the httpd to have a configuration option that appends to the realm
'Kerberos: ' if that method of authentication is used and something like 'Not
Kerberos: ', 'Basic: ' or 'Digest: ' if one of the other methods is used.  I can
then enter my password knowing that the author of the page does not see my
authentication secret.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org