Might there be a way to set one's .htaccess file to prompt for authentication each time? Example: I open a browser tab, go to the pw protected url, I'm prompted for a pw. Close the tab (main browser still open) and repeat the above and be prompted for the pw again. This is not happening unless I close the browser. Maybe this is a caching thing?
Here's what I have so far:
AuthType Basic
AuthName "myName"
AuthUserFile "/home/myDir/.htpasswds/public_html/myName/passwd"
require valid-user
Thanks in advance.
Actually it is working this way (simplified):
browser sends request to your server without credentials
Apache responses with 403 error because "require valid-user" was specified
browser prompts for username & password
browser sends request again, this time credentials are provided
Apache verifies credentials against AuthUserFile and sets "valid-user" accordingly
if everything is OK - puts out data with 200 status code
browser that receives 200 code caches used credentials for the relevant domain until browser session expires
As you see - problem lays in browser. You cannot force browser to forget password it uses for a domain. And usually you don't want to - for example if password protected page contains images - browser would require username and password for each downloaded image.
However there are some tips you could try:
you could write your own Apache authorization handler that only authorises user every second time it is accessing the page; but it's hard to do really
you could use some kind of form-based authentication (in script like php or asp.net) instead of relying on http authentication; this way is quite flexible
you could do a trick, that every time a protected page is accessed some kind of script changes the password in passwd file; then provide two passwords for each user and switch them on each request; this way browser always remember "wrong" password; it seems crazy but this is an easiest solution I could think of :-)
Related
I created an application witch will be used into domain and I must to make the authentification using user credentials. The user must not enter his credentials manualy. I must somehow to take the username from the target and then to check in Active Directory and then login.
Searching over internet I found that I must to configure the Apache server
I tried installing the mod_authnz_sspi and then in httpd.conf entering current settings
<LocationMatch ^/$>
AuthName "intranet"
AuthType SSPI
SSPIDomain xxx.xxx.xxx.xxx
SSPIAuth on
SSPIOfferSSPI on
SSPIAuthoritative on
require valid-user
SSPIUsernameCase lower
</LocationMatch>
But in the browser appear to enter the username and password witch I don't want that
I also tried installing mod_authn_ntlm but I don't succeded
Can somebody know how to do it? thanks!
You're on the right track using mod_authnz_sspi. Does it work if you type in the username and password? If so, then your server configuration is done.
To make the browser automatically send the credentials of the currently logged on user, the browser needs to trust the website. For IE and Chrome, you must add the website to the Trusted Sites or Intranet Sites in the Internet Options.
Firefox uses its own setting called network.negotiate-auth.trusted-uris, which is a list of sites it trusts for authentication.
I made a site and set "Execute the app as" to "Me" and "Who has access to the app" to "Anyone, even anonymous" but it still requires authentication sometimes. I don't want it to ever require authentication. How can I fix that?
I'm testing this with Google Chrome in Incognito mode and Safari on an iPhone.
It is forwarded by Godaddy with a 302.
The problem occurs when I pass a parameter in the url. The only effect of that is to have the page scroll to a certain position and show the appropriate hidden content using this code which really has nothing to do with authentication to Google:
if(e.parameter.objection) {
var id = e.parameter.objection;
s += '<script type="text/javascript">'
+ 'goTo(' + id + ');'
+ '</script>';
}
Try the following links by right-clicking them and choosing "Open Link in Incognito Mode"
Requires authentication:
www.bernierebuttals.org?objection=85
www.bernierebuttals.org/?objection=85
Does not require authentication:
http://bernierebuttals.org
www.bernierebuttals.org
https://script.google.com/macros/s/AKfycbxXNKxLpyh_9H6Xo1-qzSxkVMtmBaAni4L7TrDAiU7xvLRHQ-W7/exec
https://script.google.com/macros/s/AKfycbxXNKxLpyh_9H6Xo1-qzSxkVMtmBaAni4L7TrDAiU7xvLRHQ-W7/exec?objection=85
UPDATE: I just discovered that the behavior has changed since I asked this question. Now when you redirect and pass in a parameter, rather than requiring you to authenticate, the page just doesn't work at all and gives you the error
Doesn't require authentication for me. You may have some problem with browser cookies, etc.
it works the way it is described, no gotcha with/without parameters.
I'm using Apache "Auth" security to limit access to my web site (via commands in the .htaccess file, an .htpasswd file, etc).
Is there a way to de-authorize a user via my PHP script, effectively giving them a way to log out?
With that type of authentication, the username and password are actually send by the browser on every subsequent request. As there's no way to tell a browser "hey, stop sending those", there is no way to do what you're trying to do.
(If, however, you had a PHP script involved that was handling part of the authentication, you could set a session variable for flagging to ignore the valid authentication and pretend the user is logged out.)
However, in terms of a good solution, there is not one. The user will stay logged in until his or her browser decides to stop sending the headers (usually when the browser is closed).
<?
// this PHP will cause a logout event, and give the login prompt again
$AuthName='WHAT-EVER'; // must match AuthName in .htaccess.
header('HTTP/1.0 401 Unauthorized');
header('Content-type: text/html');
header('WWW-Authenticate: Basic realm="'.$AuthName.'"');
// now redirect them when they click cancel
// should be to a page with no password required.
// use an HTML meta redirect instead of HTTP
// so it runs after the auth is cancelled.
?>
<html><head><meta http-equiv='refresh' content='0;../'></head></html>
Is this what you're looking for?
http://www.php.net/manual/en/features.http-auth.php#99348
We have our own web server hosting our website that is open to the public outside of our network.
I have a request to make our "Internal Postings" link on our Careers page to authenticate the user against our network's Active Directory list.
I currently have it setup so the link hits a page inside the directory structure of the website, and this page's folder is set to "Integrated Windows Authentication". Anonymous access is turned off for this page. If the user is authenticated (ie: logged into our network or supplies proper credentials) it passes them on to an external careers website which hosts our job postings. If they fail to authenticate, it displays a custom 401 error page.
This works fine, but there is a problem with it. Using IE, people cannot just enter their username. They (of course) are required to enter the domain name as well. Unfortunately the default 'domain' is set to the URL of our website (www.xyz.com/username). I would like it to automatically choose the name of our internal domain (aaa/username) but am unsure of how to do this.
Another option would be to use LDAP and a little ASP scripting to authenticate the user. I have this code already, but am unsure of the security consequences of doing so. Basically, the page will be setup for anonymous authentication, and if the user isn't logged into our network, they will be prompted for a username/password using standard textboxes. This is then passed to an ASP script that does an LDAP lookup against our Active Directory. Is there any security issues with this method?
Which method would you choose to do?
Thanks.
EDIT: It seems I cannot authenticate to ActiveD via LDAP using a username/password combo. So forget about that option.
My question now is, how can I change the default 'domain' that IWA uses? Is that at all possible? IE seems to default to 'www.xyz.com\username' (my website) rather than 'aaa\username' (my domain name). Of course, www.xyz.com\username fails because that is not where our ActiveD resides... Is this possible? I want to make it as simple as possible for our employees.
You cannot authenticate an user with a script that looks up the user in LDAP. You need to know that the user is who it claims it is, and the only way to do that is to let NTLM/Kerberos authenticate the user (ie. establish proof that the user knows a secret stored in the AD, the password).
The URL of the web site to the set of sites considered be in the local intranet zone for IE browsers running on the internal network. By default sites consider to local intranet will be sent the current logged on users credentials when challanged with NTLM/Kerberos. Hence your internal users shouldn't even see a network logon box.
I hate to dredge up an old thread, but the answers are a bit misleading, if I understand the question. The thread Remus refers to is about authenticating via LDAP with a username only. As he points out, that isn't possible. But it looks like what Kolten has in mind is authenticating via LDAP with a username and password both. That's a standard practice called binding.
Is there a way using Java to over-ride the browser authentication dialog box when a 401 message is received from the web server? I want to know when this dialog is being displayed, and instead of it being given to the user, I fill in the credentials for them.
Overview of application:
i wrote the web server, so essentially i want to stop someone from opening an external browser and putting in the localhost and port to gain access to the data being displayed. my app has an embedded web browser linked to my written server. the browser displays decrypted content, so if i force the auth (even for my embedded browser), an external browser would need credentials. if my embedded browser is trying to access the files, i supply the credentials for the user and display the content
If you don't care about the password showing you can construct the URL so it passes the credentials ex. http://username:password#www.example.com This will by pass the authentication box but will show the user the credentials so also might not be what you are looking for.
SWT 3.5M6 has a new listener within it call AuthenticationListener. It simply listens for authentication event passed from the server and is fired. The code below is what performs the behavior I wanted. It waits for the auth, and if the host is my application, it passes back the credentials. Of course fill in the USER_NAME, PASSWORD and HOST_NAME with appropriate variables. Otherwise it lets the browser auth dialog pop up and makes the user enter the credentials. This code can also be found in the Eclipse SWT snippets page:
webBrowser.addAuthenticationListener(new AuthenticationListener()
{
public void authenticate(AuthenticationEvent event) {
try {
URL url = new URL(event.location);
if (url.getHost().equals(HOST_NAME))
{
event.user = USER_NAME;
event.password = PASSWORD;
}
else
{
/* do nothing, let default prompter run */
}
} catch (MalformedURLException e) {
/* should not happen, let default prompter run */
}
}
});
your question is a bit unclear. The whole basic authentication is based on HTTP Headers.
If the browser gets an authorization header than it displays the dialog. The content from the dialog is then send back to the server. There is nothing special about it. It iser username:password in base64 encoded. Have a look at
wikipedia
The problem is how you want to interfere. You would have to capture the authorization header and then for the next request you have to alter the HTTP header to include the credentials.
hope that helps
I think this is mostly browser-dependent behavior and what the server reports to the browser.
For example, Internet Explorer, being a Microsoft product, directly supports automatic sending of Windows credentials (you can modify this behavior in your Internet Settings) after an anonymous request fails in a 401.
Firefox, for example, does not and will always prompt the user even if it was set to remember the id and password via the password manager. IE will also prompt if auto-login fails (such as your Windows credentials still result in a 401 because you're id isn't allowed).
I don't think, as a web developer, you have much control over this besides setting up your server and app to work in the most expected and harmonious way... if you could, this might get into black hat territory.
If you want to control what is displayed to the user for authentication, you can change the auth-method in the login-config section of the web.xml from BASIC to FORM.
Then you can specify what page should be displayed when the user is authenticating, and, I suppose, pre-fill the credentials for them...but doesn't this defeat the whole purpose of security?
Setting up Authentication for Web Applications
Edit after further details:
My only suggestion would be to change the auth-method to CLIENT-CERT and require two-way SSL, where the client is also required to present a certificate to the server. If you install the certificate into your embedded browser (and make sure external browsers can't get the certificate) then you should be OK. And actually this should stop any authentication dialog from being displayed.