httpd authentication and CGI problem

• To: www-security@ns2.rutgers.edu
• Subject: httpd authentication and CGI problem
• From: "Brian W. Spolarich" <briansp@umich.edu>
• Date: Sat, 22 Jul 1995 14:20:45 -0400 (EDT)

  I also posted this to a couple of the CGI-related newsgroups, but I 
think this list would probably harbor the most expertise in this area.  I 
also haven't gotten a response that answers my questions or offers the 
solution I am looking for.

  Apologies if this group prefers not to handle authoring issues such as 
this.  I saw a number of these types of discussion in the archives.

 ---

  This is kind of a complicated one.

  CERN httpd 3.0
	CGI 1.1-compatible
  	Using built-in authentication/protections with Protect rules
	in the config file.

  What I'm doing is making a number of databases available to licensed
  users on the Web.  As we are going to license them separately (i.e.
  users can purchase all or some or one), I wanted a way to both protect
  them separately and to present the list of available databases for 
  each authenticated user.  So, I wrote a CGI-program to do it, which
  works fine.  Its a Bourne-shell script which uses grep, sed and awk 
  to grab the appropriate pieces of info from the group and passwd file for
  the http server.  It generates the info that I want and works quickly.
  I will probably write a more formal version on Perl or perhaps C if 
  time permits.

  The problem is with authentication.  I had originally just a static
  document which listed all of the databases until I got around to 
  writing the presentation program.  I also defined a protection rule
  so that users had to authenticate immediately (i.e. Protect /*), and
  this set of rules:

Protect /cgi-bin/*              PROT-SETUP-GENERIC
Protect /db/ea/*                PROT-EA
Protect /db/ca/*                PROT-CA
Protect /db/gdd/*               PROT-GDD
Protect /db/rcd/*               PROT-RCD
Protect /db/bgmi/*              PROT-BGMI

  Each of these PROT-* defs is essentially the same:

Protection PROT-RCD {
        UserId          nobody
        GroupId         nogroup
        ServerId        Gale_Research_Centers_Directory
        AuthType        Basic
        PasswdFile      /brs/httpd/etc/passwd
        GroupFile       /brs/httpd/etc/group
        Get-Mask        rcd
}

  The Get-Mask changes to the name of the group defined in the group file
  which has access to the database (the ServerId changes too but so what?).

  I know there are other ways to do this with CERN httpd...this was the one
  I got to work initially and didn't want to press my luck.

  So what happens is that I would request /index.htm (just by asking for 
  "/"), and would get prompted for authentication.  Then I would get
  my static listing, with the graphical icons for each database.  I 
  would know that my authentication was working by the fact that I would
  get every icon, which is each underneath a directory protected by a
  different protection rule.

  But, when I do the same thing, 'cept that the document that lists the
  available databases is generated on the fly, I am requested to authenticate
  to EACH authentication rule as each graphic, protected by a different
  rule, is loaded.  I know this because the various ServerIds (which map
  to the names of the databases themselves) are displayed for each
  challenge.  The only difference that I can see is that one document is
  generated from a simple GET request, the other the output of a CGI
  program.

  I'm wondering if I have to do something in my CGI program to handle
  the authentication header or somesuch so that the browser caches
  the authentication string properly?  Seems like something is getting lost,
  and the difference is with CGI.

  Taking a look at the CGI specification at hoohoo, and the fact that
  a couple of the sample programs mention that they don't handle
  authentication, I get the feeling that this is what I'm not doing.  But
  I don't see any authentication info in the herd of environment variables
  that my program is getting from httpd.

  Does Netscape (or any compliant browser :-]) cache the authentication
  key/cookie for the lifetime of the session?  I've gone out and come back
  from a protected space and not had to re-authenticate.  Yet it seems that
  somehow the browser is failing the challenge which occurs which each
  request to the protected space.

  Does anyone have any experience with this and have a clue as to what I am
  talking about?  Suggestions?  

  Any help is gladly appreciated.  

  -brian
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Brian W. Spolarich				          briansp@umich.edu
Gale Research, Inc.				       (313) 961-2242 x1021
Internet Publishing Specialist			       http://www.gale.com/
=-=-=-=-=-=I'd explain it to you, but your brain would explode.-=-=-=-=-=-=

• Previous: Cern HTTPD: Password/Login problems ?
• Next: Cern HTTPD: Password/Login problems ? - Me Too
• Index(es):
  • Index
  • Thread