BasicAuth controlled from CGI script

Is this possible:

I want a CGI script I'm writring to decide whether or not to
send a "401 Authorization Required" header based on the received
URL parameters. When the browser returns the WWW-Authenticate
header I want Apache to validate it and put the userID in the
environment as usual. I can successfully send the 401 but don't
seem to be able to get Apache to validate the header. As far
as I can tell, Apache is ignoring it. If I set up authentication
in cgi-bin's .htaccess, then ALL invocations of the script result
in a 401 challenge to the browser. I want the CGI script to
determine which requests get challenged. Is this possible?

TIA

Jim Garrison
jhg@acm.org

Jim Garrison <jhg@acm.org> wrote in message news:<iMPJa.19659$hV.942782@twister.austin.rr.com> ...
> Is this possible:
>
> I want a CGI script I'm writring to decide whether or not to
> send a "401 Authorization Required" header based on the received
> URL parameters. When the browser returns the WWW-Authenticate
> header I want Apache to validate it and put the userID in the
> environment as usual. I can successfully send the 401 but don't
> seem to be able to get Apache to validate the header. As far
> as I can tell, Apache is ignoring it. If I set up authentication
> in cgi-bin's .htaccess, then ALL invocations of the script result
> in a 401 challenge to the browser. I want the CGI script to
> determine which requests get challenged. Is this possible?

No, you can't do basic auth through a cgi script, because you would
need to verify the password within the script, and apache will
not pass the password to the script (because doing so would
be a security hole).

Joshua.

> I want a CGI script I'm writring to decide whether or not to
> send a "401 Authorization Required" header based on the received
> URL parameters. When the browser returns the WWW-Authenticate
> header I want Apache to validate it and put the userID in the
> environment as usual. I can successfully send the 401 but don't
> seem to be able to get Apache to validate the header. As far
> as I can tell, Apache is ignoring it. If I set up authentication
> in cgi-bin's .htaccess, then ALL invocations of the script result
> in a 401 challenge to the browser. I want the CGI script to
> determine which requests get challenged. Is this possible?

afaik not with plain apache. it's either free access or some kind of
requirement all the time. what you could do is have two copies of your
script (or symlink it) and prtect one of them with a auth in a <Files>
block. then you could either instead of sending the 401 yourself just
send a redirect to the protected version and apache will send a 401
and check in the future, or you go for maximum opaquenes, send the 401
yourself and use something like this:

RewriteEngine On
RewriteCond %{HTTP:Authorization} !^$
RewriteRule /cgi-bin/your.cgi /cgi-bin/your-protected.cgi [PT]

this will look at the request and send it to the regular version of
the cgi normally, unless the request happens to have some kind of auth
credentials - be it due to a former 401 header or to joe hacker taking
a guess.

joachim

Jim Garrison <jhg@acm.org> writes:
> I guess I wasn't very clear in my original question. I WANT
> Apache to do the authentication, but only when I cause the
> client browser to send WWW-Authenticate by responding to the
> original request with a 401. If no WWW-Authenticate header is
> received, I want the CGI script to get the request without
> going through validation.

You can probably do something like that by writing a special module,
but not with a normal cgi. Apache won't normally call a cgi until it
decides validation has happened (or is not needed). But if it can't
decide until the cgi has already run, there's a chicken and egg problem.

You probably are best off letting the cgi do your authentication
itself. HTTP authentication is pretty rudimentary and isn't designed
to do complicated things.

On Wed, 25 Jun 2003 01:53:25 +0000, Jim Garrison wrote:

>
> I guess I wasn't very clear in my original question. I WANT Apache to
> do the authentication, but only when I cause the client browser to send
> WWW-Authenticate by responding to the original request with a 401. If
> no WWW-Authenticate header is received, I want the CGI script to get the
> request without going through validation. That way the CGI script can
> control (but not participate in) authentication by sending a 401 for
> those requests that require authentication. Here's a skeleton of the
> script:
>
> if (request parameters indicate need for authentication)
> if (remote_user is null) // indicating failed auth or no auth
> send 401 header and error HTML
> else # Apache authenticated the request
> process the request
> else
> process the request
>
> The script has no part in the actual authentication, it just decides
> when authentication will be required.


RewriteEngine On
RewriteCond %{HTTP:WWW-Authenticate} . RewriteRule .* -
[E=do_authz:1]

Satisfy any
<Directory /your_dir>
Order Deny,Allow
Allow from all
Deny from env=do_authz
</Directory>

could do the trick. It is not testet, but I think it gives at least an
idea for a possible soloution.

Hth,
Joachim

--
"Geld ist ein Zeichen von Armut." - Iain Banks - Ein Geschenk der Kultur