Menu

#1652 revisit http authentication when nested folders

nextrelease
open
nobody
None
5
2016-08-04
2016-08-04
Jeremy Faden
No

I need to verify that http authentication is handled properly when there are nested folders. For example, you have

http://autoplot.org/data/restricted/ which is restricted to group:grouppassword, and
http://autoplot.org/data/restricted/user1/ which is restricted to user1:user1password.

and also
http://autoplot.org/data/restricted2/ which is restricted to group2:group2password.

My recollection is that the entire website would have just one password.

Discussion

  • Jeremy Faden

    Jeremy Faden - 2016-08-04

    I've confirmed this--in the keychain.txt file, only the root of the directory is kept.

     

  • Jeremy Faden

    Jeremy Faden - 2016-08-04

    My naive understanding of how this should work is that the key should be the website and the "Basic realm" value of WWW-Authenticate the response header is what should be used as the key.

    I notice the code goes through KeyChain each time, and some how it needs to avoid the extra hit to get the "Basic realm" key.

     

    Last edit: Jeremy Faden 2016-08-04

  • Jeremy Faden

    Jeremy Faden - 2016-08-04

    I need to cache the passwords using the "Basic auth" key. Also I need to look at the use of the "Authorization" of the request headers.

     
MongoDB Logo MongoDB