Emmanuel Blot wrote: <snip> > However, imagine the following scenario: > > 1/ Trac administrator set up a HTTP authentication with digest > far less secure than HTTPS - however HTTPS may simply not be available > but passwords are nevertheless not sent as plain text. This is a > common tradeoff. > > 2/ Everything works fine, Apache manages authentication (http > credentials w/ digest) > > 3/ Trac administrator performs an upgrade, or tweak Apache or Trac > configuration > > 4/ Unfortunately, things go bad - and they always go bad at some point > > 5/ Trac "automagically" detects HTTP authentication is no more > available, and decides on its own to send a form-based authentication > page
So, I'm already going to be changing this behavior. On initenv, you'll be able to decide whether or not to use form based auth. For all existing sites, form based auth will be disabled due to the lack of a password_store being configured in the trac.ini. So you do an upgrade, and some how apache fails to do auth, and then you get the nice wonderful ugly error of "Authentication Not Setup". No form based auth. <snip all the stuff that won't happen> -John --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
