httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruno Tréguier <>
Subject Re: [users@httpd] Authenticating with subfolders
Date Tue, 21 May 2013 11:44:47 GMT
Le 21/05/2013 à 12:51, Vincenzo D'Amore a écrit :
> Hi Bruno,

Hi again Vincenzo,

> just read again the RFC you stated, I'm not sure about the assumption
> that a realm can be contained within another.
> Or may be the implementation done by Apache httpd cannot support
> multiple nested realms.
> As far as I see, you can define just one Realm that, eventually,
> override the existing one. 

In fact, per RFC2616, a resource can only belong to one realm. The
question, then, is: to access a resource belonging to a certain realm,
are you allowed to cross other realms ?

As far as I can see, the answer seems to be no, but I may be wrong.

> This is from "Authentication and Authorization" (
> )
> /The AuthName directive sets the Realm to be used in the authentication.
> The realm serves two major functions. First, the client often presents
> this information to the user as part of the password dialog box. Second,
> it is used by the client to determine what password to send for a given
> authenticated area./

Yes, that's exactly how it works in my opinion, but there seems to be a
little grey area in the fact that to access a resource within a realm,
you must (or not) cross the realms of higher level.

> On the other hand, I took a look at HTTP header during the conversation
> between server and agent.
> Well, the Agent, within its Request, sends an Authorization header quite
> simple. 
> It don't even specify the realm, only type and credential:
> Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
> So I'm not sure it is possible have multiple realm.

As long as there's only one Authorization header, the client doesn't
need to specify a realm, as the server knows what realm the access
resource belongs to. But you're right in your analysis: the fact that
the realm isn't specified in the client request makes it highly probable
that you cannot specify several Authorization headers, as if that was
possible, the server would have to guess the right login/password pair
by trying all the Authorization headers until one of them works...
Pretty flawed solution IMHO. ;-)



- Service Hydrographique et Oceanographique de la Marine  -  DMGS/INF
-  13, rue du Chatellier -  CS 92803  - 29228 Brest Cedex 2, FRANCE
-     Phone: +33 2 98 22 17 49  -  Email:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message