What is the purpose of the AuthName directive used within the <Directory></Directory> tag of the httpd.conf file?
AuthName is used when using authentication with Apache. As the documentation says:
The AuthName directive sets the Realm to be used in the
authentication. The realm serves two major functions. First, the
client often presents this information to the user as part of the
password dialog box. Second, it is used by the client to determine
what password to send for a given authenticated area.
In the picture below (from HeliconTech Blog), the AuthName has been set to "secret area".
Related
i have a basic auth protected directory with :
AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/.htpasswd
require valid-user
every thing is ok and directories are not visible , and force to login ,
but .txt files are visible directly in any browsers ,
i checked in every browser and its not some login remember problem
example :
test.com/password-dir/
is no visible
but
test.com/password-dir/1.txt
is visible
For every one who come here from google , or Other search mechanisms
I Finally Found The Problem and Fixed it .
When You are Using Curl
Its very strange on litespeed server with cache enabled , when you Request a Url with Authentication data ( user and password ) , even if you dont send Authentication data again , Server will always respond to you request .
in my case :
test/1.txt
was opened one time with auth data and responded to me , because of this , server always responded well even if im not sending auth data.
but when CURL request to another url link like:
test/2.txt
authentication data needed ;
so authentication doesnt have problem and worked well . it was just caching mechanism that let me visit/request the file again without auth data.
I created an application witch will be used into domain and I must to make the authentification using user credentials. The user must not enter his credentials manualy. I must somehow to take the username from the target and then to check in Active Directory and then login.
Searching over internet I found that I must to configure the Apache server
I tried installing the mod_authnz_sspi and then in httpd.conf entering current settings
<LocationMatch ^/$>
AuthName "intranet"
AuthType SSPI
SSPIDomain xxx.xxx.xxx.xxx
SSPIAuth on
SSPIOfferSSPI on
SSPIAuthoritative on
require valid-user
SSPIUsernameCase lower
</LocationMatch>
But in the browser appear to enter the username and password witch I don't want that
I also tried installing mod_authn_ntlm but I don't succeded
Can somebody know how to do it? thanks!
You're on the right track using mod_authnz_sspi. Does it work if you type in the username and password? If so, then your server configuration is done.
To make the browser automatically send the credentials of the currently logged on user, the browser needs to trust the website. For IE and Chrome, you must add the website to the Trusted Sites or Intranet Sites in the Internet Options.
Firefox uses its own setting called network.negotiate-auth.trusted-uris, which is a list of sites it trusts for authentication.
Note: Similar questions deal with either Auth0 with Angular or are several years out of date and refer to previous versions.
We're using Auth0 to provide authentication for a group of applications run on Apache with mod_auth_openidc.
The only customization is that mod_auth_openidc is configured to check whether a user has access to a specific application or not via:
<location /app1/>
AuthType openid-connect
Require claim valid_app1:true
</Location>
<location /app2/>
AuthType openid-connect
Require claim valid_app2:true
</Location>
User metadata defined in the Auth0 settings (valid_app1 or valid_app2, etc) defines whether a user can access the applications located at website.com/app1 or website.com/app2, etc.
Currently, the user is correctly redirected to the Auth0 login page when the user tries to access any of the applications, and correctly rejects those users who do not have access to that application.
However on a successful login, the user is redirected to the callback page (defined as the first callback in the Auth0 settings and the OIDCRedirectURI in auth_openidc.conf, e.g. website.com/auth) and not back to the application the user attempted to load.
How do I configure Auth0 with Apache so that a user is returned to the URL of the application they initially attempted to load and not the callback URL?
Good
website.com/app1 > AUTH0 login > website.com/app1
website.com/app2 > AUTH0 login > website.com/app2
Bad
website.com/app1 > AUTH0 login > website.com/auth
You can accomplish this with a few different approaches:
You can register more than one callback/redirect URL within the client application configuration in Auth0 and then each application starts the login process by telling Auth0 the redirect URL associated with it.
You can represent your applications as multiple client applications in Auth0 where each one has a specific callback redirect URL and each application starts the process with that redirect URL.
You can continue to use the same callback URL and then do a second redirect to the final destination. This implies knowing where the user started the process which can be achieved by leveraging OAuth state parameter (this parameter should also be used for CSRF protection, see Using the State Parameter.
Options 1. and 2. are very similar, usually if we talking about conceptually different applications you would go with option 2 and if it's a single application that just wants to have two different ways of processing the callback you would go with option 1..
Finally, option 3 allows a similar thing to what's done in the first option, that is, the same application can conditionally redirect users to different places after login, but does it without the need to register additional redirect URL's in the Auth0 side. It's the application itself that decides where the user goes after processing the login at the callback URL.
My experience with Shibboleth is limited and I have no access to configuration or logs on the IdP or the SP. I am trying to troubleshoot this issue:
Previous Shibboleth session is still active on the client workstation. When attempting to access document protected by the following .htaccess configuration:
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
The client (occasionally) receives the following error message:
Authorization Failed
Based on the information provided to this application about you, you are not authorized to access the resource at "http://myresourcepath"
Please contact the administrator of this service or application if you believe this to be an error
In troubleshooting, I changed .htaccess from
require valid-user
to:
require shib-session
I thought the issue might be the deprecated parameter- but after changing, I was still receiving the authorization failed message. The only way to successfully authorize is to clear the browser cache, revisit the page which then it prompts for authentication, and then authorization passes its check and you hit the page successfully with no error.
What complicates matters even more, is, when .htaccess is set to:
require shib-session
The authorization error message persists even after clearing the cache and re-authenticating. I had to change .htaccess back to
require valid-user
I dont know what could cause the random authorization issue, if the session wasn't valid, the user would get directed to the idp for login, correct? Thats Shibboleth's design. So, the session has to be valid- but why does it not recognize the user as authorized for that resource?
Additionally:
after I received the message and googled quickly, it seems like a stock response from the idp:
https://technical.bestgrid.org/index.php/Vladimir's_general_Shiboleth_notes
says:
This specific example asks for the user variable to be set to any value - and any Shibboleth attribute can be used with the variable name it is assigned to in the Attribute Acceptance policy (AAP.xml). For more syntax on using the require directive, see the examples in the SP htaccess documentation on specific features implemented for the Apache require directive.
Users who do not have the attribute (or do not provide it), get the following error message (with the Shibboleth logo). .... is same message....
This form of control however may not be that user friendly - user would have to know to go either use Autograph to allow the release of the attribute, or talk to their IdP administrator to configure the attributes on the IdP.
Also note that this does not work with lazy sessions - in which case one immediately gets the same error message.
Further, note that care must be taken with overlapping access control blocks. These should be listed from the most-generic ("/") to the most specific (as "/secure" in the above example). Otherwise, the more relaxed settings on the generic one would override the more stringent settings on the specific one.
Might there be a way to set one's .htaccess file to prompt for authentication each time? Example: I open a browser tab, go to the pw protected url, I'm prompted for a pw. Close the tab (main browser still open) and repeat the above and be prompted for the pw again. This is not happening unless I close the browser. Maybe this is a caching thing?
Here's what I have so far:
AuthType Basic
AuthName "myName"
AuthUserFile "/home/myDir/.htpasswds/public_html/myName/passwd"
require valid-user
Thanks in advance.
Actually it is working this way (simplified):
browser sends request to your server without credentials
Apache responses with 403 error because "require valid-user" was specified
browser prompts for username & password
browser sends request again, this time credentials are provided
Apache verifies credentials against AuthUserFile and sets "valid-user" accordingly
if everything is OK - puts out data with 200 status code
browser that receives 200 code caches used credentials for the relevant domain until browser session expires
As you see - problem lays in browser. You cannot force browser to forget password it uses for a domain. And usually you don't want to - for example if password protected page contains images - browser would require username and password for each downloaded image.
However there are some tips you could try:
you could write your own Apache authorization handler that only authorises user every second time it is accessing the page; but it's hard to do really
you could use some kind of form-based authentication (in script like php or asp.net) instead of relying on http authentication; this way is quite flexible
you could do a trick, that every time a protected page is accessed some kind of script changes the password in passwd file; then provide two passwords for each user and switch them on each request; this way browser always remember "wrong" password; it seems crazy but this is an easiest solution I could think of :-)