On Tue, Oct 11, 2011 at 5:06 PM, Stephan Beal <[email protected]> wrote:
> On Tue, Oct 11, 2011 at 10:59 PM, Richard Hipp <[email protected]> wrote: > >> If you are using .htaccess style authentication for a Fossil instance on a >> website, you have to check the "Allow REMOTE_USER authentication" box on the >> /Admin/Access page to enable it. That's a little obscure. I wonder if we >> should just make Fossil honor REMOTE_USER by default when it is running as >> CGI. Are there any adverse security considerations here? > > > Just so i don't overlook this in the JSON API: does the REMOTE_USER > handling change how fossil sends/uses the authentication cookie? (If not > then JSON mode "should" support REMOTE_USER as-is.) > I don't think this applies to JSON. But correct me if I'm wrong. The interaction happens at the web-server, with no Fossil involvement. If the .htaccess is turned on (.htaccess is an apache-ism - presumably other web-servers do it differently) and if the incoming HTTP request lacks a "Authorization:" field, or if the authorization isn't valid, then the web-server returns a 401 error. This prompts the web-browser to pop up a login/password dialog box. The user enters the login and password, clicks OK and the cycle repeats. If the authentication does check out (if the password is correct) then for CGI programs the web-server sets the REMOTE_USER environment variable to the login that the web-server authenticated. Fossil will honor this REMOTE_USER (if the remote_user_ok setting is on) without checking for the login cookie or any of its usual login mechanisms. Note that the web-server checks the password using whatever mechanism the web-server is designed to use. I seriously doubt that any existing web-servers have any knowledge of Fossil passwords. So your Fossil passwords don't matter here. The passwords are stored where the web-server can find them. Note also that I don't think the "sync" command knows how to deal with a 402 response. So the REMOTE_USER thing won't work for "sync" or "clone". (Volunteers to fix this???) > > -- > ----- stephan beal > http://wanderinghorse.net/home/stephan/ > > _______________________________________________ > fossil-users mailing list > [email protected] > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users > > -- D. Richard Hipp [email protected]
_______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
