From: Rudi Farkas [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 02, 2008 2:27 PM
To: [email protected]
Subject: [shttpd-general] shttpd : can we have an empty password ?
I have the requirement to 'protect' a specific file served by shttpd
with an empty password.
Leaving aside the question whether the requirement is reasonable, is it
possible to implement it using a password entry in a shttpd password
file ?
I tried to do this, but shttpd refuses the user response when the
password file specifies an empty password and browser user supplies an
empty password.
Is this fundamentally impossible, or am I doing something wrong ?
Here is my experiment that illustrates the problem :
1- install shttpd-1.42 on WinXP from the installer, to the default
directory C:\shttpd-1.42
2- modify the file shttpd.conf thus (keeps all files in the same
directory) :
# SHTTPD web server configuration file.
# Lines starting with '#' and empty lines are ignored.
# For detailed description, visit
http://shttpd.sourceforge.net/shttpd.1.txt
root .
ports 80,443s
systray yes
access_log .\shttpd_access_log.txt
error_log .\shttpd_error_log.txt
auth_realm mydomain.com
protect /full.html=.pwdfull,/empty.html=.pwdempty
3- create 3 simple html files
\shttpd-1.42\empty.html
\shttpd-1.42\full.html
\shttpd-1.42\index.html
4- create 2 password files
C:\shttpd-1.42>shttpd -A .pwdempty mydomain.com me ""
C:\shttpd-1.42>shttpd -A .pwdfull mydomain.com me full
5- launch server
C:\shttpd-1.42>shttpd
Loading config file shttpd.conf
6- open a bowser (IE7 or FF3 in my case) and navigate to
http://localhost
Browser opens index.html - OK
7- navigate to http://localhost/full.html
Browser asks for credentials - respond with "me" and "full"
shttpd accepts the response and browser opens full.html - OK
8- navigate to http://localhost/empty.html
Browser asks for credentials - respond with "me" and blank - type
nothing in password field, press OK
shttpd refuses the response and browser asks again for credentials ...
This is where I am stuck - is there anything I can do so that shttpd
would accept the response ?
Attached is a zip file with all test files mentioned in the experiment.
Any clarifications or ideas would be appreaciated.
Rudi
------------------------------------------------------------------------
--------------------------
Modify shttpd.c source code. When user enters empty password, code it
as if they used a password of "StupidMoronRequest". When you write to
the .htpasswd file, leave the password column empty. Then when the
logic to authenticate a username/password pair, assume they entered that
password. You'll have to create a custom login form that sends a
non-blank password on, but accepts a blank password field. (or if they
don't want to ever see a password field, then modify the HTML/Javascript
for the logon form to sneakily send "StupidMoronRequest" as the
password.
Does the spec state that the password column in .htpasswd file needs to
be empty, or just that the user must not be required to fill out a
password field in the logon? In any event, above technique will work.
It will be less work for you if you can just hardcode the MD5
equivalent of "StupidMoronRequest" in the authorization logic.
David
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
shttpd-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shttpd-general
