Re: tiny-authorizer & apache

Mark Brown (mbrown@openmarket.com)
Tue, 17 Sep 1996 11:13:42 -0400

Message-Id: <199609171513.LAA16063@breckenridge.openmarket.com>
To: fastcgi-developers@openmarket.com
Subject: Re: tiny-authorizer & apache 
In-Reply-To: <199609171227.OAA13202@digicol.com> 
Date: Tue, 17 Sep 1996 11:13:42 -0400
From: Mark Brown <mbrown@openmarket.com>


Thies Arntzen writes:

    Is the such thing [as CGIPassword] in apache???

CGIPassword is a region command in the Open Market server.
(A region command is something that can be run for each
request whose URL matches a pattern specified in the server config.)
CGIPassword simply decodes HTTP_AUTHORIZATION into its
component parts REMOTE_USER and REMOTE_PASSWD to make life easier
for CGI programs that perform their own authentication.  If
HTTP_AUTHORIZATION is not present then CGIPassword returns the
AUTH_REQUIRED response so the user will be prompted for a name and
password.

I just looked at the various mod_auth*.c files that come with
Apache 1.1.1 and none of them appears to do what CGIPassword does.
You could modify mod_auth.c to do it; mostly you'd throw away
the code that performs the password file lookup, and add code
that creates the REMOTE_USER and REMOTE_PASSWD variables for
the CGI or FastCGI responder to use.

This seems like a good question for the regular Apache mailing list.
Hard to believe it has never been done.

    Is there ANY way to do author. via (and only) thru a (f)cgi????
    ... apache does not even send HTTP_AUTHORIZATION down to my cgi....

Perhaps Apache filters out HTTP_AUTHORIZATION by default, as a security
measure?  Here again I am ignorant.

TinyAuthorizer itself is designed to use the Authorizer role, which
mod_fastcgi does not support.  If somebody adds it I'd be interested
in getting the patch.

    --mark