Replies: 1 comment 1 reply
-
|
Yes, the recommended way is to have a separate login page for these cases. You can see how the freeipa project does in in /ipa: https://github.com/freeipa/freeipa/blob/master/install/share/ipa.conf.template It redirects to an "unauthorized" page that performs the actual authentication. That project has an active page that does a few things there, but you should be able to simply have a special location where Basic Auth is on and then redirect back if auth is successful. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
OK I'm not having much luck figuring this out.
I've got gssapi doing authentication via gssproxy (enabled in the enviro vars during apache startup).
I need Basic Auth enabled for some windows clients which don't natively have kerberos ticket capabilities.
So
I'm trying to get gssapi session cookies to be used in place of basic Auth if a user has authenticate at least once.
So I'm adding:
Now it seems that web browsers send the basic auth info in the request header "Authorization : basic .. blabla " of subsequent requests even though the cookie has been set.
I think this triggers apache to re-authenticate again an generate a new session token every time.. dumping / ignoring the one that has been set in the request header..
This is massively slowing down the pages responsiveness, to add nearly 1 second to every get request the browser makes while loading the page.
I don't know exactly know why the auth stage is so incredibly slow as a aide quest..
Now there have been methods mentioning having GssapiBasicAuth set to Off for the bulk of the website while keeping the cookie stuff there.
And then having a single "login" page in a location block that has BasicAuth turned on.
But I'm going through an apache proxy setup as part of this, think Jenkins running on the same server but at firewalled port 8080.
And I just can't seem to find the magic combination to get this to work..
Here is what our current config with gssapi auth looks like. But it is stupidly slow and doesn't seem to be using the session cookies..
I'm not even sure if that authentication stuff is meant to be in the proxy block, there are lots of conflicting views on that..
There are methods that talk about splitting the auth domains into an everything else that uses the cookie and redirects via a 401? to a login URL if that cookie fails.
On that page they can login and be given a gss session cookie after basic auth passes.
and get redirected back to the main URL which only uses cookies no BasicAuth enable flag etc...
But I'm having no luck getting that method going..
Any help would be appreciated
Cheers
Richard
Beta Was this translation helpful? Give feedback.
All reactions