# HG changeset patch # User paulb # Date 1076276546 0 # Node ID f977346746797152dcf5b4c3a72c0dc174448d71 # Parent 718bdfeec0449a170cf8acf1aac5b7993b7a8206 [project @ 2004-02-08 21:42:26 by paulb] Added notes about authentication/authorisation in Webware. diff -r 718bdfeec044 -r f97734674679 docs/Webware/NOTES.txt --- a/docs/Webware/NOTES.txt Sun Feb 08 21:42:21 2004 +0000 +++ b/docs/Webware/NOTES.txt Sun Feb 08 21:42:26 2004 +0000 @@ -7,6 +7,35 @@ -------- +Authentication/authorisation in Webware: + +Since Webware provides some kind of CGI emulation environment, the actual HTTP +headers involved with authentication/authorisation are not available to the +WebStack transaction. Therefore, WebStack depends on Webware having access to +the REMOTE_USER environment variable set by the Web server, and with Apache, +this variable is only ever set when Apache itself has performed +authentication. Whilst applications can send the "WWW-Authenticate" header to +HTTP clients, unless Apache has been instructed to process the resulting +username/password information, the REMOTE_USER will apparently remain +undefined. + +Consequently, it is recommended that the following kind of definition is added +to httpd.conf (for Apache) in order to give applications access to +username/password details: + + + AuthType Basic + AuthName "AuthResource" + AuthUserFile /usr/local/apache2/conf/users + require valid-user + + +The details of the application's deployment, including the exact pathname of +the users file and the appropriate access policy, must obviously be defined +according to the actual application concerned. + +-------- + For Webware releases beyond 0.8.1: WebStack applications are supported as contexts within WebKit, meaning that a