Müller Johannes wrote:
So far so good, but how to handle fallback to basic authentication if the client has no certificate (SSLVerifyClient optional)? If we created a new module mod_auth_cert and there is no username from mod_ssl we would like to call mod_auth_basic. If i understood you right, i would hook mod_auth_cert before mod_auth_basic and let it react on AuthType Basic. If mod_auth_cert then returns DECLINED, mod_auth_basic runs and does basic authentication.That would work, but i personally don't like it. If i configure "AuthType Basic" i want to do basic auth, not cert auth. If i created a new module i would prefer configuring "AuthType Cert" and doing something like "AuthCertFallback On"
Hmmm... this looks a little bit too cert specific.Tt would be cool if we could support auth fallback in an arbitrary fashion. For example, if a user has a cert, use that as their identity, otherwise use their session identity from mod_auth_form, or failing that use basic authentication.
If all of them fail, then pick one of them to handle the "access denied" part (for example request a basic authentication username and password, or let mod_auth_form display a login form, whatever).
You might do something like this: AuthType certificate, form, basic Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
