1

Our project is moving towards OpenSSO, but we have some CGIs that are accessed via web services. For example, one CGI locates files on the server and supplies them to the client. I understand that OpenSSO allows for an Exclusion List, but I'm wondering if Basic Auth will still be enforced by the Apache webserver?

For example, this is what I would like to happen, I'm just not sure if it would actually work:

  1. User requests url.com/open_area

  2. OpenSSO recognizes that open_area should be left unprotected.

  3. open_area is protected by an ACL in Apache, so Apache denies with response 401, or accept if Authorization string in Http Request is correct.

Steve
  • 15,155
  • 3
  • 37
  • 66

1 Answers1

1

Yes, you can combine several authentication methods using the Satisfy {any|all} directive.

To apply BasicAuth only on some URLs, matching a pattern:

SetEnvIf Request_URI ^/webservice/* do_basic_auth
<IfDefine do_basic_auth>
    AuthName "Authentication"
    AuthType Basic
    AuthUserFile /somewhere/.htpasswd
    Require valid-user
</IfDefine>
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121