Application driven Basic Authentication with Apache?

December 22, 2004 @ 12:16 pm

Does anybody know how to set up Basic Authentication with Apache that is driven through the application rather than through files?

In Web Connection we handle all requests by sending fully qualified HTTP responses including HTTP headers back to the Web Server and feeding that directly to ISAPI. One common implementation is application driven Basic Authentication operation which has the application fire off a 401 header.

HTTP/1.1 401 Not Authorized

WWW-Authenticate: basic realm="localhost"

<HTML><h1>Access Denied</h1><hr>

Please enter a valid username and password to access this request.</HTML>

This causes the browser to popup the Browser Authentication dialog and when authorized send back an Authentication header

GET /wconnect/wc.dll?wwdemo~Authentication HTTP/1.1

Referer: http://localhost/wconnect/

Authorization: Basic cssf0cmFobDpkdshZG1z

Cookie: WESTWINDUSER=01E0NNOPF; wc=wcSessionId=1DI095FOQ; WebStoreUser=01E0NNOPF;

This should be easy enough right? But I cannot figure out how to get Apache to do this. All the documentation I’ve seen on Basic Auth is geared towards locking down directories or files.

My requirement is to allow anonymous access to everything, but validate when a 401 request is sent. I’ve set up to support basic auth like this in my config file:

#*** WEB CONNECTION VIRTUAL - wconnect

Alias /wconnect/ "D:/Programs/Apache Group/Apache2/htdocs/wconnect/"

Options ExecCGI

DirectoryIndex default.htm

AddHandler isapi-isa dll

AuthType Basic

#Require valid-user

AuthUserFile d:/passwords.txt

AllowOverride None

Allow From all

</directory>

#*** END WEB CONNECTION VIRTUAL - wconnect

The way the file is above no authentication check occurs. The browser header gets sent and the browser pops up the auth dialog, but Apache does not validate the auth request and it fails.

Somebody suggested I use the #Require field, but when I add this all request fail outright with a 500 Internal Server Error. It makes sense that I need to tell Apache that it needs to check Auth requests, but I don't see an option that says 'only check when I tell you to check, not on everything'.

This is a most basic requirement for applications, this has gotta work somehow? Anybody have any insight here?

Feedback for this Weblog Entry

re: Application driven Basic Authentication with Apache?
by Rick Strahl December 22, 2004 @ 5:10 pm

Some progress has been made. Apparently in my configuration above I've left out the AuthName key which is required or the server fails with a 500 error.

Now I can authenticate, but authentication occurs at the directory level, not at the application level. Any request into my virtual asks for validation, but I only need to fire off requests from a dynamic page request (could be any page so wildcards won't work).

re: Application driven Basic Authentication with Apache?
by Rick Strahl February 25, 2005 @ 1:18 pm

Thanks to Christof Wollenhaupt who figured out the problem: Apache's ISAPI module comments out Basic Authentication logic and simply ignores these requests.

You gotta really wonder about the liberties taken with this stuff. Sure Basic Auth can be a security risk, but does the base code base need to be so heavy handed about this? This sort of thing is exactly why open source is such a pain in the ass. "Oh, but you got the source, fix it yourself". Right - like I want to distribute a new ISAPI_Mod.dll...

Thanks for your help Christof - much appreciated.