Hi Holger
> Now I have one problems, which I got solved using mod_dtcl and Rivet, that
> is to handle authentification in the Tcl-part. In mod_dtcl and Rivet you
> have access to the username and password supplied by the brower. So,
> assuming I would have access to user/password as USER(user)/USER(password)
> in websh, I could create a page like this:
Mhhh. The authorization is not exposed because Apache explicitly hides
it for security reasons. That's why we didn't think it would be
necessary to expose it in Websh. On the other hand: your approach was
one I was many times tempted to use :-)
The following patch will give you at least a chance to setup your app
as desired:
--- src/generic/request_ap.c (revision 378313)
+++ src/generic/request_ap.c (working copy)
@@ -92,5 +92,20 @@
paramListSetAsWhole(requestData->request, "GATEWAY_INTERFACE",
Tcl_NewStringObj("CGI-websh/1.1", -1));
+
+ {
+ char *val;
+ Tcl_Obj *valo = NULL;
+
+ /* Check to see if a Authorization header is there */
+ val = (char *)ap_table_get( r->headers_in, "Authorization" );
+ if (val) {
+ valo = Tcl_NewStringObj(val, -1);
+ if (paramListAdd(requestData->request, "AUTHORIZATION", valo) != TCL_OK)
+ /* fatal case */
+ return TCL_ERROR;
+ }
+ }
+
return TCL_OK;
}
It will expose the original Authorization header sent by the
browser. A more complicated patch would be needed to actually decode
user and pass from the base64 encoded value. Like this, you'll have to
change your code to create a USER(user) and USER(password) variable
from [web::request AUTHORIZATION].
>
> web::command default {
#Here you'll have to call a proc (to be written :-) like
DecodeAuth USER
#or similar
> if {[info exists USER]} {
> if {[checkUserPassword $USER(user) $USER(password)]}
> {
> showPage
> } else {
> showError "sorry, wrong user/password"
> }
> } else {
> web::response -httpresponse 401
#This should be:
web::response -httpresponse "HTTP/1.x 401"
> web::response -set WWW-Authenticate \
> "Basic realm=\"My Domain\""
> }
> }
> web::dispatch
For a real patch to Websh, it should really decode user and pass and
setting it into specific request variables, but I'm still not sure if
it's a good idea since it's a security hole, cause every page editor
can then steal users and passwords.
Any suggestions why it should (or not) be included?
hth
Ronnie
--
10 Jahre Netcetera - die Zukunft im Visier
Ronnie Brunner | [EMAIL PROTECTED]
phone +41 (0)44 247 79 79 | fax +41 (0)44 247 70 75
Netcetera AG | 8040 Zürich | Switzerland | http://netcetera.ch
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
