Don't things like SSL client auth (pre-HTTP connection) internally show as basic auth? Isn't it just as trivial to make a module that does nothing more than set the auth-type string to basic? A simple contract (real contract, not EULA garbage), should give you far more protection than any of this.
Thanks, Rick Houser Auto-Owners Insurance Systems Support (517)703-2580 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sam Carleton Sent: Monday, November 24, 2008 9:43 AM To: modules-dev@httpd.apache.org Subject: Re: Setting a handler within a configuration directive Rick, You are absolutely right on all accounts. The only problem is that I am a one man shop and I simply don't have the resources to have multiple distributable. I prefer taking the risk of folks hacking my software then have multiple distributable. What is that saying, a lock only keeps the honest man honest. Those that are going to steal my code are going to steal it no matter what I do, well I could go to extremes to protect my code, it just isn't that widely used to be worth the effort. I did find what appears to be a good workaround last night after posting the question: My handler checks to see if the authentication is set to basic, if not, my handler is declined, thus, in theory stopping my handler from running if the user removes the AuthType from the location where the hander is set. I would still prefer to hide the setting, but if there is a even better way, I am all ears! Sam
