[pca] RFE: pca-proxy.cgi without stored credentials
Sebastian Kayser
sebastian+pca at skayser.de
Tue Nov 17 12:09:19 CET 2009
Hi Martin,
* Martin Paul <martin at par.univie.ac.at> wrote:
> >Hm, how about making the username something like
> >
> > <SOA-Username>!<SOA-Password>
> >
> >Ie. seperate the username & password in the username "field" with something
> >like a ! (or whatever...).
>
> Won't help either - to make the HTTPD set REMOTE_USER, which could then
> be used by the CGI, you need a ".htaccess" file, as far as I understand
> it. The CGI itself can't force the HTTPD to do the authentication, as it
> seems.
thanks for looking into it.
Couldn't you just use a "custom" authentication scheme to handle auth
between pca-proxy.cgi and pca? When pca-proxy.cgi needs to go to
Sunsolve for a patch and doesn't have configured credentials, respond
with
HTTP/1.1 401 Unauthorized
WWW-Authenticate: pca realm="SOA"
At least Apache simply passes such unknown authentication schemes ("pca"
in the example above) along. pca would check the headers before actually
downloading a patch from the proxy, query for credentials if it receives
a 401, and send back the credentials in a custom header (which is
available to the pca-proxy.cgi) on subsequent requests.
Authorization: pca realm="SOA"
X-pca-Auth: <base64-encoded-usernamepw>
pca-proxy.cgi would then just use those credentials. You are using
wget's --header already, the one thing needed would be the pre-download
HTTP status code check to determine whether authentication is required.
Sounds feasible?
Sebastian
More information about the pca
mailing list