DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=41685>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41685 Summary: Implement optional HTTP Authentication in a standards- compliant fashion Product: Apache httpd-2 Version: 2.3-HEAD Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Core AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] It would be possible to implement optional HTTP Authentication (something that people seem to want often enough; see links below) without violating any RFCs. Optional Auth Process --------------------- The idea is that (if the feature were turned on) the process would work as follows: 1. A request comes in from a web browser for a page marked with optional authentication 2. Seeing no authentication, Apache passes this on to the CGI/mod_perl that will process it 3. The CGI/mod_perl sends back a response with a 401/WWW-Authenticate 4. Apache, seeing authentication in the response this time, processes the authentication. Either way, it passes control back to the CGI/mod_perl, but if the authentication failed, it will not populate the variables containing the username and the like. It is up to the CGI/mod_perl how to respond to this. Changes required ---------------- The change required in Apache to achieve this is fairly simple: if optional auth is specified (eg. in a .htaccess), pass control to the CGI/mod_perl even if the auth fails; don't respond with a 401 or a WWW-Authenticate. Suggested config syntax: AuthOptional On Presumably, this should also be part of AllowOverride AuthConfig Additional Information ---------------------- I'm not 100% sure this belongs in the core, but I was unsure where it did belong For reference, the complaints that people have about using HTTP Auth are summarised in the following articles: http://www.artima.com/weblogs/viewpost.jsp?thread=155252 http://fishbowl.pastiche.org/2003/12/30/saving_http_authentication Some of their solutions involve changing RFCs. Mine only involves adding a configuration option which doesn't violate RFCs -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
