[Previous] [Next] [Index]
[Thread]
httpd authentication and CGI problem
I also posted this to a couple of the CGI-related newsgroups, but I
think this list would probably harbor the most expertise in this area. I
also haven't gotten a response that answers my questions or offers the
solution I am looking for.
Apologies if this group prefers not to handle authoring issues such as
this. I saw a number of these types of discussion in the archives.
---
This is kind of a complicated one.
CERN httpd 3.0
CGI 1.1-compatible
Using built-in authentication/protections with Protect rules
in the config file.
What I'm doing is making a number of databases available to licensed
users on the Web. As we are going to license them separately (i.e.
users can purchase all or some or one), I wanted a way to both protect
them separately and to present the list of available databases for
each authenticated user. So, I wrote a CGI-program to do it, which
works fine. Its a Bourne-shell script which uses grep, sed and awk
to grab the appropriate pieces of info from the group and passwd file for
the http server. It generates the info that I want and works quickly.
I will probably write a more formal version on Perl or perhaps C if
time permits.
The problem is with authentication. I had originally just a static
document which listed all of the databases until I got around to
writing the presentation program. I also defined a protection rule
so that users had to authenticate immediately (i.e. Protect /*), and
this set of rules:
Protect /cgi-bin/* PROT-SETUP-GENERIC
Protect /db/ea/* PROT-EA
Protect /db/ca/* PROT-CA
Protect /db/gdd/* PROT-GDD
Protect /db/rcd/* PROT-RCD
Protect /db/bgmi/* PROT-BGMI
Each of these PROT-* defs is essentially the same:
Protection PROT-RCD {
UserId nobody
GroupId nogroup
ServerId Gale_Research_Centers_Directory
AuthType Basic
PasswdFile /brs/httpd/etc/passwd
GroupFile /brs/httpd/etc/group
Get-Mask rcd
}
The Get-Mask changes to the name of the group defined in the group file
which has access to the database (the ServerId changes too but so what?).
I know there are other ways to do this with CERN httpd...this was the one
I got to work initially and didn't want to press my luck.
So what happens is that I would request /index.htm (just by asking for
"/"), and would get prompted for authentication. Then I would get
my static listing, with the graphical icons for each database. I
would know that my authentication was working by the fact that I would
get every icon, which is each underneath a directory protected by a
different protection rule.
But, when I do the same thing, 'cept that the document that lists the
available databases is generated on the fly, I am requested to authenticate
to EACH authentication rule as each graphic, protected by a different
rule, is loaded. I know this because the various ServerIds (which map
to the names of the databases themselves) are displayed for each
challenge. The only difference that I can see is that one document is
generated from a simple GET request, the other the output of a CGI
program.
I'm wondering if I have to do something in my CGI program to handle
the authentication header or somesuch so that the browser caches
the authentication string properly? Seems like something is getting lost,
and the difference is with CGI.
Taking a look at the CGI specification at hoohoo, and the fact that
a couple of the sample programs mention that they don't handle
authentication, I get the feeling that this is what I'm not doing. But
I don't see any authentication info in the herd of environment variables
that my program is getting from httpd.
Does Netscape (or any compliant browser :-]) cache the authentication
key/cookie for the lifetime of the session? I've gone out and come back
from a protected space and not had to re-authenticate. Yet it seems that
somehow the browser is failing the challenge which occurs which each
request to the protected space.
Does anyone have any experience with this and have a clue as to what I am
talking about? Suggestions?
Any help is gladly appreciated.
-brian
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Brian W. Spolarich briansp@umich.edu
Gale Research, Inc. (313) 961-2242 x1021
Internet Publishing Specialist http://www.gale.com/
=-=-=-=-=-=I'd explain it to you, but your brain would explode.-=-=-=-=-=-=