Re: custom authentication functions from Brandon Long on 1996-03-28 (www-talk@w3.org from March to April 1996)

From: Brandon Long <blong@uiuc.edu>
Date: Thu, 28 Mar 1996 11:54:13 -0600 (CST)
To: dnew@fv.com
Cc: mwm@contessa.phone.net, www-talk@w3.org
Message-Id: <199603281754.LAA27434@fiction.isdn.uiuc.edu>

Last time, Darren New uttered the following other thing:
> 
> On Tue, 26 Mar 1996, Mike Meyer wrote:
> 
> > they did. If you really want to do this and source is available, it's
> > probably pretty simple to find the code that prevents authentication
> > headers from going into the environment and disable it.
> 
> Actually, for at least the ones I've looked at, it's a pain. It would be
> much easier to special-case taking it out of the environment than it would
> be to write code to find it and insert it into the environment in the
> right place. The real problem is that the CGI script doesn't get invoked
> until *after* the username and password are validated. If you want the CGI
> script to do the validation, you're out of luck. 

There is a one line code change in most versions of NCSA HTTPd (at least
1.3 - 1.5) to make it pass the Authorization header through to CGI scripts.
Remove the line in get_http_headers() in the strcasecmp(Authorization)
section which says continue;.  This will cause the code to fall through
and make the HTTP header into a CGI environment variable.

We don't do this normally for most of the reasons presented in this
discussion (the environment of processes is available on some systems, and
I could also write a rogue script that will send fake auth messages and
log the user/passwords which are returned.)

> This is falling back to the old ACL/setuid argument. Is it better to have 
> the access control built in to a system (like httpd) or is it better to 
> give a user program the info it needs to decide whether to permit access? 
> Currently, I've not found a browser that will invoke CGIs whose basic 
> authentication doesn't match what's in the config files, so you're stuck 
> with what's compiled into the server. I imagine other servers give you 
> different APIs for intercepts at different places, but I havent looked 
> too closely at them yet.

Certain servers, such as Netscape, Apache, Microsoft, Spyglass, Openmarket
have various application interfaces which are much more flexible then
the CGI standard, as well as generally faster than CGI.

Brandon

-- 
 Brandon Long         "I think, therefore, I am confused." -- RAW
 HTTPd/SDG/NCSA	  I violated the Communications Decency Act ... or will.
 ECE/UIUC	    blong@uiuc.edu   http://www.uiuc.edu/ph/www/blong
 N9WUC		Don't worry, these aren't even my views.

Received on Thursday, 28 March 1996 12:53:26 UTC