You are viewing a plain text version of this content. The canonical link for it is here.
Posted to websh-user@tcl.apache.org by Ronnie Brunner <ro...@netcetera.ch> on 2009/04/10 22:54:47 UTC
Re: Authentification
Hi again
> > some time ago (Apr 2006) we had a discussion on how to add access to
> > user/password from the authentication of APACHE.
> > For this new installation I decided to use the newest version from
> > SVN, also because there were some bugfixes with response and APACHE
> > 2.2 reported. I sadly recognized, that the changes were not in
> > (yet). Any plans to do so?
I just committed some changes that expose Bais Auth user and password
to Websh. (Aren't religious holidays like "Karfreitag" a wonderful thing
for us developers with a daytime job? ;-)
The new paragraphs from the (committed, but unpublished) quick
reference (request_data_handling.html):
""Special case for handling Basic Auth:
web::request AUTH_USER
returns the username provided by the user when Basic Auth is
requested and Apache does not handle it (i.e. if Apache does not
provide REMOTE_USER).
web::request AUTH_PW
returns the password provided by the user when Basic Auth is
requested and Apache does not handle it (i.e. if Apache does not
provide REMOTE_USER).
The following example provides a basic app that requires Basic Auth
and completely bypasses Apache's auth mechanisms.
Example 7. web::request AUTH_USER and web::request AUTH_PW
# returns 1 if user/pass provided is websh/websh
proc isAuthenticated {} {
if {[web::request -count AUTH_USER]} {
set user [web::request AUTH_USER]
set pass [web::request AUTH_PW]
if {[string eq $user "websh"] && [string eq $pass "websh"]} {
return 1
}
}
return 0
}
# the default command requests Basic Auth unless provided correctly
web::command default {
if {![isAuthenticated]} {
web::response -set Status {401 Authorization Required}
web::response -set WWW-Authenticate {Basic realm="Websh auth"}
web::put "Sorry, you're out"
} else {
web::put "You're in"
}
}
# command dispath
web::dispatch
Note: CGI usually does not expose the Basic Auth Authorization header
for security reasons. The following configuration for Apache (as of
version 2.0.51) will allow Websh to also provide the same
functionality when running in CGI (requires mod_setenvif):
Example 8. Apache configuration for AUTH_USER and AUTH_PW to work
under CGI
SetEnvIf Authorization "^(Basic .+)$" AUTH_BASIC=$1
Important security consideration: This configuration will also expose
the authentication information to Websh when Apache does handle the
authentication. Although Websh hides the information in that case it
is always available in the CGI environment. Use this Configuration
carefully.""
If you ever find the time to play around with this let me know if it
works for you.
Best regards
Ronnie
--
Ronnie Brunner | ronnie.brunner@netcetera.ch
phone +41-44-247 79 79 | fax +41-44-247 70 75
Netcetera AG | 8040 Zürich | Switzerland | http://netcetera.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: websh-user-unsubscribe@tcl.apache.org
For additional commands, e-mail: websh-user-help@tcl.apache.org