Hello,
I hope everyone is having a nice weekend.
Can anyone out there tell me whether it would be possible to access
the remote user name and password ($user and $password in
http://$user:[email protected]/) so that I can roll my own basic
HTTP authentication?
It seems to me that remote_user is only available when the Auth Basic
module is enabled, but am I missing something?
Jed
On Sun, Oct 14, 2007 at 02:53:13PM +0800, Jed Schmidt wrote:
Can anyone out there tell me whether it would be possible to access
the remote user name and password ($user and $password in
http://$user:[email protected]/) so that I can roll my own basic
HTTP authentication?It seems to me that remote_user is only available when the Auth Basic
module is enabled, but am I missing something?
No, The $remote_user variable is available without
ngx_http_auth_basic_module,
however, currently there is no $remote_password variable, althogh, it
could
be easy added.
Igor,
It would be awesome if you could add that, unless there is a way to
access it already. Is there some header, for example, from which I can
access it already?
Jed
Jed Schmidt ha scritto:
Igor,
It would be awesome if you could add that, unless there is a way to
access it already. Is there some header, for example, from which I can
access it already?
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.8
http://www.ietf.org/rfc/rfc2617.txt
Regards Manlio P.
Manilo,
Thanks for that reference. Maybe I’m doing something wrong, but when I
access a URL in the $user:[email protected]/ format, and then try
to access the $http_authorization variable in an SSI or in a rewrite
rule, it returns nothing. In other words, let’s say I have the
following rule:
location = /auth {
rewrite (.*) $http_authorization - Google Search;
}
and then access http://user:[email protected]/auth. If the username and
password were accessible, wouldn’t I be forwarded to
user:pass - Google Search? Right now I’m being forwarded to
http://google.com/search?q= instead.
Thanks again for your help,
Jed
A little more information to shed some light on this problem. I have
an SSI-enabled html file at
http://72.44.41.145/beta/authcheck.html
which contains the following:
http_authorization:
When I execute the following in curl:
curl http://user:[email protected]/beta/authcheck.html
I get
http_authorization: Basic dXNlcjpwYXNz
But when I use Firefox or Safari to get the_same_URL, I get
http_authorization:
I am totally at a loss. Would someone mind giving this URL a try and
tell me what I’m doing wrong?
Thanks again,
Jed
On Sunday 14 October 2007, Jed Schmidt wrote:
I am totally at a loss. Would someone mind giving this URL a try and
tell me what I’m doing wrong?
you url does not require an authorization, that why some browsers don’t
auth
Roxis,
Thanks for pointing that out. I didn’t realize that browsers actually
check first to see whether authorization is required. I’ve added this
rule to my location:
location / {
if ($http_authorization !~ ^Basic) {
add_header ‘WWW-Authenticate’ ‘Basic realm=“Restricted”’;
return 401;
}
perl mymodule::auth;
}
and it returns the 401 correctly if there is no Authorization header,
but fails to add the WWW-Authenticate header. According to the
documentation, the add_header directive “adds headers to the HTTP
response when the response code is equal to 200, 204, 301, 302 or
304.” Is the header being left off because it’s a 401?
Thanks again for your help, guys.
Jed
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs