0

Users are authenticated by mod_auth_kerb which works great. Therefore I need to set

Require valid-user

If there is no valid user Apache fails with an 401 Authorization Required. I would like Apache to deliver the website anyway but without providing a REMOTE_USER to the underlying application (python code, or php script).

This is related to How to tell mod_auth_kerb to do its job despite no "require valid-user". But with the important difference that on a whole sub directory on every URL a Kerberos negotiation should be initiated, and if it fails it should deliver the content anyway.

Community
  • 1
loomi
  • 111
  • 3
  • It seems not to be possible to achieve this with mod_auth_kerb. Does anyone know an alternative? (If possible for Apache ...) – loomi Nov 22 '12 at 13:13

1 Answers1

2

There's no way to configure Apache to only "try" authenticating.

The way I would handle that is for your application to decide when to try to authenticate the client, by using a session cookie for example. If the client's session is expired, have the application redirect the client to a specific page covered by "Require valid-user" and set up an ErrorDocument that redirects back to the application in case of failure.

jcharaoui
  • 322
  • 1
  • 12
  • This is a good idea in general and I am investigating this! But I would like to have this behavior not only for a login-site but for the whole website where it gets tricky! – loomi Nov 22 '12 at 13:12
  • Maybe have the application check REMOTE_USER and the session cookie during the application's bootstraping phase? – jcharaoui Nov 22 '12 at 17:02
  • Yes this is how the application works at the moment. But at this time it is already to late to initialize the Kerberos Authentication. – loomi Nov 22 '12 at 18:29