Apache Module mod_auth_basic 325j6

AuthBasicAuthoritative Directive y6i4s

Normally, each authorization module listed in AuthBasirovider directive. When using such modules, the order of processing is determined in the modules' source code and is not configurable.

AuthBasicFake Directive 3q866

The name and specified are combined into an Authorization header, which is ed to the server or service behind the webserver. Both the name and fields are interpreted using the expression parser, which allows both the name and to be set based on request parameters.

If the is not specified, the default value "" will be used. To disable fake basic authentication for an URL space, specify "AuthBasicFake off".

In this example, we a fixed name and to a backend server.

<Location "/demo">
    AuthBasicFake demo demo
</Location>

In this example, we the email address extracted from a client certificate, extending the functionality of the FakeBasicAuth option within the SSLOptions directive. Like the FakeBasicAuth option, the is set to the fixed string "".

<Location "/secure">
    AuthBasicFake "%{SSL_CLIENT_S_DN_Email}"
</Location>

Extending the above example, we generate a by hashing the email address with a fixed phrase, and ing the hash to the backend server. This can be used to gate into legacy systems that do not client certificates.

<Location "/secure">
    AuthBasicFake "%{SSL_CLIENT_S_DN_Email}" "%{sha1:phrase-%{SSL_CLIENT_S_DN_Email}}"
</Location>

<Location "/public">
    AuthBasicFake off
</Location>

AuthBasirovider Directive 1w726g

The AuthBasirovider directive sets which provider is used to authenticate the s for this location. The default file provider is implemented by the mod_authn_file module. Make sure that the chosen provider module is present in the server.

<Location "/secure">
    AuthType basic
    AuthName "private area"
    AuthBasirovider  dbm
    AuthDBMType        SDBM
    AuthDBMFile    "/www/etc/dbmwd"
    Require            valid-
</Location>

Providers are queried in order until a provider finds a match for the requested name, at which point this sole provider will attempt to check the . A failure to the does not result in control being ed on to subsequent providers.

Providers are implemented by mod_authn_socache.

AuthBasicUseDigestAlgorithm Directive j521a

Normally, when using Basic Authentication, the providers listed in AuthBasirovider attempt to a by checking their data stores for a matching name and associated . The stored s are usually encrypted, but not necessarily so; each provider may choose its own storage scheme for s.

When using AuthDigestProvider and Digest Authentication, providers perform a similar check to find a matching name in their data stores. However, unlike in the Basic Authentication case, the value associated with each stored name must be an encrypted string composed from the name, realm name, and . (See RFC 2617, Section 3.2.2.2 for more details on the format used for this encrypted string.)

As a consequence of the difference in the stored values between Basic and Digest Authentication, converting from Digest Authentication to Basic Authentication generally requires that all s be assigned new s, as their existing s cannot be recovered from the storage scheme imposed on those providers which Digest Authentication.

Setting the AuthBasicUseDigestAlgorithm directive to MD5 will cause the 's Basic Authentication to be checked using the same encrypted format as for Digest Authentication. First a string composed from the name, realm name, and is hashed with MD5; then the name and this encrypted string are ed to the providers listed in AuthType was set to Digest and Digest Authentication was in force.

Through the use of AuthBasicUseDigestAlgorithm a site may switch from Digest to Basic Authentication without requiring s to be assigned new s.