Does anybody know how to set up Basic Authentication with Apache that is driven through the application rather than through files?
In West Wind Web Connection we handle all requests by sending fully qualified HTTP responses including HTTP headers back to the Web Server and feeding that directly to ISAPI. One common implementation is application driven Basic Authentication operation which has the application fire off a 401 header.
HTTP/1.1 401 Not Authorized
WWW-Authenticate: basic realm="localhost"
<HTML><h1>Access Denied</h1><hr>
Please enter a valid username and password to access this request.</HTML>
This causes the browser to popup the Browser Authentication dialog and when authorized send back an Authentication header
GET /wconnect/wc.dll?wwdemo~Authentication HTTP/1.1
Referer: http://localhost/wconnect/
Authorization: Basic cssf0cmFobDpkdshZG1z
Cookie: WESTWINDUSER=01E0NNOPF; wc=wcSessionId=1DI095FOQ; WebStoreUser=01E0NNOPF;
This should be easy enough right? But I cannot figure out how to get Apache to do this. All the documentation I’ve seen on Basic Auth is geared towards locking down directories or files.
My requirement is to allow anonymous access to everything, but validate when a 401 request is sent. I’ve set up to support basic auth like this in my config file:
#*** West Wind Web Connection VIRTUAL - wconnect
Alias /wconnect/ "D:/Programs/Apache Group/Apache2/htdocs/wconnect/"
<directory "D:/Programs/Apache Group/Apache2/htdocs/wconnect/">
Options ExecCGI
DirectoryIndex default.htm
AddHandler isapi-isa dll
AuthType Basic
#Require valid-user
AuthUserFile d:/passwords.txt
AllowOverride None
Allow From all
</directory>
#*** END West Wind Web Connection VIRTUAL - wconnect
The way the file is above no authentication check occurs. The browser header gets sent and the browser pops up the auth dialog, but Apache does not validate the auth request and it fails.
Somebody suggested I use the #Require field, but when I add this all request fail outright with a 500 Internal Server Error. It makes sense that I need to tell Apache that it needs to check Auth requests, but I don't see an option that says 'only check when I tell you to check, not on everything'.
This is a most basic requirement for applications, this has gotta work somehow? Anybody have any insight here?
Other Posts you might also like