If the server uses a 401 to ask for authentication, the browser is in charge of making the response. mod_auth_external or mod_authnz_external simply allows Apache to deal with other authentication responses from the client (and if the client isn't a browser, you can use whatever scheme you want). I suspect that any exception that works this way is likely to be browser specific.
mod_auth_form sounds like it is intended to not send a 401, but instead serves your login form, keeping the browser out of the authentication process. The module then collects the form post and passes the results on to an authentication mechanism, and, if successful, is resorded in a session object and a session cookie is included in subsequent server responses. Additional requests that include the session cookie are considered authenticated. The doc certainly implies that you might use mod_auth_basic, but I think that getting the form submission to produce Basic Auth style encoding with require JavaScript (do you want to count on it being enabled?). But note that Basic Auth encoding is trivially reversible and thus provides no real security over plain text: Neither should be used without TLS. What you want is for the server side storage of use/password pairs to use some non-reversible hash so that server compromise doesn't compromise user passwords (which they probably use elsewhere). So you need an authentication back end that accepts the plain text (or reversible basic auth style obfuscation) and verifies it against the stored hash. On Mon, Feb 22, 2016 at 11:44 AM, Carl Nobile <[email protected]> wrote: > Bill, > > That's not completely true there is the fairly new Apache module > 'mod_auth_form' that is supposed to ameliorate this problem, but I can't > seem to get that working either. > > The browser drops down a login when it sees a 401 status code plus > `WWW-Authenticate: Basic realm="WallyWorld"`. If you rewrite the 'Basic' > part to a custom scheme, but still send basic credentials 'mod_auth_form' > should do the right thing by sending on to 'mod_authnz_external'. At least > that's what I understand. See: https://tools.ietf.org/html/rfc2617. > > I'm just trying to get the Apache config right. > > The reason I am using 'mod_authnz_external' is because I'm authorizing > through PAM / NIS. > > Thanks, for your response anyway. > > > On Mon, Feb 22, 2016 at 11:28 AM, Bill Freeman <[email protected]> wrote: > >> No. When you say "Basic Auth", you've said browser handles it. >> >> >> On Mon, Feb 22, 2016 at 11:24 AM, Carl Nobile <[email protected]> >> wrote: >> >>> Hi all, >>> >>> Been awhile since I've posted to this list, but I've run into an issue >>> that I just cannot solve on my own. >>> >>> I need to use the mod_authnz_external package to authenticate using >>> Basic auth through TLS (SSL). Is it possible to bypass the browser dropdown >>> login screen and use the one I've written in Django? Can mod_wsgi come to >>> my rescue here? >>> >>> >>> ------------------------------------------------------------------------------- >>> Carl J. Nobile (Software Engineer) >>> [email protected] >>> >>> ------------------------------------------------------------------------------- >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "modwsgi" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at https://groups.google.com/group/modwsgi. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at https://groups.google.com/group/modwsgi. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > > ------------------------------------------------------------------------------- > Carl J. Nobile (Software Engineer) > [email protected] > > ------------------------------------------------------------------------------- > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/modwsgi. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
