dnl mod_auth++.m4 $Id: mod_auth++.m4,v 1.22 2008/01/02 13:50:34 sauer Exp $ define(m4_page_name, `mod_auth++') define(m4_crumb0, m4_page_name) define(m4_page_title, `mod_auth++') define(`m4_Ver1_1') include(`primitives.m4') include(`appearance.m4') m4_page( m4_table( dnl m4_row( dnl m4_margin_links dnl , dnl   dnl ) m4_row( , Revision History - last updated January 16, 2007 m4_spacer mod_auth++ was developed for Apache 2.0. I have not updated mod_auth.c to reflect the changes in Apache 2.2. I do not plan to do so. CHS m4_spacer mod_auth++ m4_spacer m4_paragraph_nobr "mod_auth++" started with my frustration with existing authorization mechanisms that are available with standard browsers (IE, et al) and web servers (Apache, IIS, et al). I wanted to be able to control access to web cams, photographs, and other "static" content on my web servers in ways that seemed impractical with the commonly used mechanisms. After investigating and thinking, I said permanent reference link "I think I have come up with a secure scheme for new authentication and access control mechanisms that will integrate nicely with existing web browsers and servers. It seems to fit nicely with the Apache web server. There seems to be a natural way to do equivalent things with Microsoft's IIS. This is a meaningful discovery if, as it seems, there is a way to provide improved authentication and access control mechanisms that fit well with existing code. It will be a victory for software architecture if this works without a huge coding effort." I think I have succeeded, at least with IE and Apache, and believe what I call "mod_auth++" will also work with other browsers and servers. This document will describe what I've done, how mod_auth++ might be used, and the limitations and problems I've recognized. m4_spacer Current Environment m4_spacer m4_paragraph_nobr There are three current approaches to web authorization and authentication that I consider meaningful: Basic Access Authentication is widely deprecated as insecure (even in RFC 2617!) because, in non-encyrpted environments, it is trivial to capture the User ID and Password. However, if encryption (typically, TLS a.k.a. SSL) is used, then Basic Authentication can be secure. m4_spacer m4_paragraph Except for encrypted Basic Authentication, there are no satisfactory approaches that seem to have any chance of becoming even de facto standards. For completeness, there are other approaches I should mention: Additional Flexibility and Capabilities m4_spacer m4_paragraph_nobr If you accept that encrypted Basic Authentication is secure, then the biggest problems with Basic are inflexibility and administrator overhead. Understandably, in the tradition of the corresponding operating systems mechanisms, Basic assumes that an administrator establishes a User ID and Password. Neither of these are easily managed by the individual being authorized. This is true both in the Apache and the IIS implementations. (Aside -- similar inflexibility is also present with Integrated Windows Authentication.) m4_spacer m4_paragraph_nobr Based on my own experience implementing application-specific approaches for several applications, my observation of application-specific implementations at a wide variety of web sites, and my own desires, I've defined three new modes of Basic Authentication and implemented them in my own version of Apache's mod_auth.c module, the one that implements Basic authentication in Apache.
(Aside -- see m4_html_path/mod_auth++/ for a directory listing of the files I cite here, m4_html_path/mod_auth++/mod_auth.c.2.0.48 for the unmodified Apache 2.0.48 version of mod_auth.c, and m4_html_path/mod_auth++/mod_auth.c for the mod_auth++ version of mod_auth.c. Though I have only applied the new modes to mod_auth.c, mod_auth_dbm.c would probably be a better vehicle for these modes.)
These are the modes defined in the mod_auth++ version of mod_auth.c. You can experiment with them by clicking on the links, but beware that you will want to close and re-open your browser, between trying the different modes. Note also, that the new modes require the User ID to at least resemble an e-mail address. Further, two of the modes (Confirm and Approve) are two step modes, in that they require that you confirm your e-mail address and password between steps. Matthew Gregg at the mod_auth_any project kindly pointed me at their approach to avoiding the problem of Logging out When Using .htaccess Authentication. I integrated this approach with mod_auth++ and was delighted! Unfortunately, an update to Internet Explorer breaks that approach -- with current IE it is necessary to exit the browser entirely and then reopen the browser to proceed. With other current browsers it should not be necessary for you to close/repen within two-step modes (Confirm and/or Approve). dnl
  1. Traditional - traditional Basic Authentication. Use User ID "guest" and Password "guest" if you wish to test this mode.
  2. Ignore - ignore the Password
  3. Approve - you supply your own Password. However, the Password will not work further until an administrator grants access. (The administrator may, of course, refuse to grant access.) In this example directory, the first step is request.html and the second step is approve.html. An example "content" file that is accessible if and only if the two step process has worked and an administrator has approved access is approved.html.
  4. Confirm - you supply your own Password and it is accepted without administrator intervention. (The administrator may, of course, subsequently revoke access.) In this example directory, the first step is initial.html and the second step is confirm.html. An example "content" file that is accessible if and only if the two step process has worked and an administrator has not revoked access is confirmed.html.
Status, Background and Limitations m4_spacer m4_paragraph_nobr First, I consider what I have done so far to be beta-level, both this document and the code. I intend to pursue both the code and the documentation further, but have no specific time-table for doing so. Second, I should admit that Traditional, Ignore, and Approve are the only modes I've used for production purposes, so far. Third, I should say more about how/why the modes are the way they are. m4_spacer m4_paragraph_nobr Part of the original inspiration for mod_auth++ came from Apache's mod_auth_anon.c module, which implements "anonymous" authentication analogous to traditional anonymous FTP. However, the user model, since it is like traditional anonymous FTP, is wrong for the web -- there is no reason the user should have to type "anonymous" or any other ID, except for their e-mail address. Further, both for the user's sake and the underlying implementation, the e-mail address should go in the User ID field, not the Password field. mod_auth_anon.c claims that it will record the e-mail address in the error log, but this is untrue and unfixable, in my opinion. Besides, the e-mail address should go in the access log, just like any other User ID would in Basic Authentication. m4_spacer m4_paragraph_nobr I looked at mod_auth_any, which is a generic authentication module for Apache. At the time, it looked like mod_auth_any was in hiatus. I see now that there have been some updates since I looked before, so I was apparently wrong. However, mod_auth_any seemed too comprehensive and complex for what I wanted at the time, and I didn't see any liklihood of an analogous module being created for IIS. m4_spacer m4_paragraph_nobr I think the rationale behind Approve mode is fairly obvious. I've been using Ignore mode to protect some web cams and photographs. The only real protection Ignore mode has given these has been to keep them out of search engines. I don't even have SSL turned on for those items. I expect to turn on SSL and apply Approve mode to these items. The rationale for Confirm mode is less clear, but I expect I will find good use for it. m4_spacer m4_paragraph_nobr The biggest limitations I'm conscious of are: Implementation Notes m4_spacer m4_paragraph_nobr If you want to try mod_auth++ on your own server, please do. The only real Apache files I've changed are mod_auth.c and httpd.conf. There's nothing unusual in what I do in httpd.conf. If you have already built and installed 2.0.48, you should be able to I've put htaccess as a hard link to .htaccess in m4_html_path/mod_auth++/ so that you can see the one new directive (AuthUserControl). Similarly, I've put hard links to the Password files in m4_html_path/mod_auth++/ so that their contents would be visible. m4_spacer m4_paragraph_nobr I should also point out that all of the Apache work I have done has been in Linux. I have not tried any other flavors of *nix and have not tried to pursue making this work in Apache for Windows. However, I have tried to think about this and believe it can be made to work in Apache for Windows. Similarly, I have not done anything to make any of this work in IIS, but believe it would be reasonable to do so. m4_spacer Revision History
Apache 2.2 disclaimer - January 16, 2007
IE/documentation change - March 1, 2005
  • Add Javascript to detect IE and handle two-step modes to accomodate breakage of nph-logout.cgi with latest updates to IE.
Beta 1 - February 2, 2004
  • Corrections and enhancements to this page
  • maasuccess.html and macsuccess.html use a <meta> tag to redirect to the second step pages, approve.html and confirm.html, respectively. Without this redirection, the second step of the Approve and Confirm modes was not occurring.
  • There seemed to be a file pointer not being kept accurately in mod_auth.c, resulting in scrambled password files. I'm not certain about this. It may be that there is no problem or it may be that I don't have adequate test cases yet and there is still a problem.
Beta 0 - October 31, 2003
  • Added mod_auth_any approach to avoid need to close/reopen browser for two step modes (Approve and Confirm).
  • Miscellaneous small fixes and enhancements
Alpha - October 20, 2003
  • Initial public version.
, include(`notesitems.m4') ) dnl end m4_row primary content ) dnl end m4_table ) dnl end m4_page