Gossamer Forum
Home : Products : DBMan : Customization :

Apache Password Authorisation

Quote Reply
Apache Password Authorisation
I am trying to use server authentication of users with an Apache web server running under Unix. Basically, I can type in my username and password and when accepted, the dbman script returns the main menu. However, when you try to submit the form in the add record section, it jumps back to the main (dbman) logon screen, requiring the user to enter their password again, losing the data. Should this be happening, and if not, how do I fix it?
Quote Reply
Re: Apache Password Authorisation In reply to
I wish I could tell you. Possibly someone with experience in this will be able to answer your question. Sorry.


------------------
JPD





Quote Reply
Re: Apache Password Authorisation In reply to
I noticed something similar. When I go to db.cgi, which is in a protected directory, the user goes directly to the add form as if he or she had logged in via dbman. One can't actually add, though until one has passed through the dbman login. So it appears as if the server directory authentication is mistaken by dbman as a login. The appropriate permissions are not granted, though, so one is re-routed to the log-in page after attempting to do anything.
Quote Reply
Re: Apache Password Authorisation In reply to
The problem is that the structure of the .pass file is totally different than the .htpasswd file. It would be highly problematic to re-write the .htaccess process to allow the extra fields that are in the .pass file in DBMAN.

Regards,

------------------
Eliot Lee
Founder and Editor
Anthro TECH, L.L.C
http://www.anthrotech.com/
info@anthrotech.com
==========================
Coconino Community College
http://www.coco.cc.az.us/
Web Technology
Coordinator
elee@coco.cc.az.us
Quote Reply
Re: Apache Password Authorisation In reply to
I did some experimentation with this, and managed to make it work by adding some lines into the auth.pl script. Basically, when using web server authentication, the lock file is not created and other variables are not initialised. Adding the following lines in seems to sort out the problem:

After the line
elsif ($server_auth) { # The user has logged in via server authentication.

Add the following:
$userid = $ENV{'REMOTE_USER'} | | $ENV{'AUTH_USER'};
$uid = $ENV{'REMOTE_USER'} | | $ENV{'AUTH_USER'};
srand( time() ^ ($$ + ($$ << 15)) );
$db_uid = "$userid." . time() . (int(rand(100000)) + 1);
open(AUTH, ">$auth_dir/$db_uid") or &cgierr("unable to open auth file: $auth_dir/$uid. Reason: $!\n");
print AUTH "$uid: $ENV{'REMOTE_HOST'}\n";
close AUTH;
foreach (0 .. 3) { $permissions[$_] = int($permissions[$_]); }
&auth_logging('logged on', $userid) if ($auth_logging);

The only slight problem with this is that ypu are required to maintain two password files: the dbman one and the web server one. However, it should be possible to modify the script to maintain these automatically...
Quote Reply
Re: Apache Password Authorisation In reply to
This didn't work for me. I wonder if it might vary according to the flavor of Apache. My server has Apache V 1.2.1.
Quote Reply
Re: Apache Password Authorisation In reply to
I'm using Apache 1.3.9, but I've set up the access control in the httpd.conf using <Directory> tags rather than trying to use a .htaccess file, which I couldn't get to work!
Quote Reply
Re: Apache Password Authorisation In reply to
Has anyone had any insight on this? It would be nice to keep a db in a password-protected directory.
Quote Reply
Re: Apache Password Authorisation In reply to
Some suggestions:

1) Store all your sensitive files (.pass, .db, etc.) in a password directory outside of the main DBMAN directory.

I do this on all my DBMAN sites.

2) Take out the authorisation option, and use another cgi script to add users to the .htpasswd file. Some scripts are located at cgi-resources.com.

Regards,

------------------
Eliot Lee
Anthro TECH,L.L.C
www.anthrotech.com
* Be sure to visit the Resource Center for FAQ's, Modifications and Extra Goodies!!
* Search Forums!
* Say NO to Duplicate Threads. :)
----------------------