Digest Authentication; Using .htaccess files - From Apache: The Definitive Guide (2/7) | WebReference

Digest Authentication; Using .htaccess files - From Apache: The Definitive Guide (2/7)

Apache: The Definitive Guide, Chapter 5: Authentication

The httpd.conf file is as follows:

User webuser
Group webgroup
ServerName www.butterthlies.com
ServerAdmin sales@butterthlies.com
DocumentRoot /usr/www/APACHE3/site.digest/htdocs/customers
ErrorLog /usr/www/APACHE3/site.digest/logs/customers/error_log
TransferLog /usr/www/APACHE3/site.digest/logs/customers/access_log
ScriptAlias /cgi-bin /usr/www/APACHE3/cgi-bin
<VirtualHost sales.butterthlies.com>
ServerAdmin sales_mgr@butterthlies.com
DocumentRoot /usr/www/APACHE3/site.digest/htdocs/salesmen
ServerName sales.butterthlies.com
ErrorLog /usr/www/APACHE3/site.digest/logs/salesmen/error_log
TransferLog /usr/www/APACHE3/site.digest/logs/salesmen/access_log
ScriptAlias /cgi-bin /usr/www/APACHE3/cgi-bin
<Directory /usr/www/APACHE3/site.digest/htdocs/salesmen>
AuthType Digest
AuthName darkness
AuthDigestFile /usr/www/APACHE3/ok_digest/sales
require valid-user
#require group cleaners

Go to the Config file (see Chapter 1). If the line:

Module digest_module mod_digest.o

is commented out, uncomment it and remake Apache as described previously. Go to the Apache support directory, and type:

% make htdigest
% cp htdigest /usr/local/bin

The command-line syntax for htdigest is:

% htdigest [-c]passwordfile realm user

Go to /usr/www/APACHE3 (or some other appropriate spot) and make the ok_digest directory and contents:

% mkdir ok_digest
% cd ok_digest
% htdigest -c sales darkness bill
Adding password for user bill in realm darkness.
New password: theft
Re-type new password: theft
% htdigest sales darkness ben
% htdigest sales darkness sonia
% htdigest sales darkness daphne

Digest authentication can, in principle, also use group authentication. In earlier editions we had to report that none of it seemed to work with the then available versions of MSIE or Netscape. However, Netscape v6.2.3 and MSIE 6.0.26 seemed happy enough, though we have not tested them thoroughly. Include the line:

LogLevel debug

in the Config file, and check the error log for entries such as the following:

client used wrong authentication scheme: Basic for \

Whether a webmaster used this facility might depend on whether he could control which browsers the clients used.


This directive enables the generation of Content-MD5 headers as defined in RFC1864 and RFC2068.

ContentDigest on|off
Default: ContentDigest off
server config, virtual host, directory, .htaccess

MD5, as described earlier in this chapter, is an algorithm for computing a "message digest" (sometimes called "fingerprint") of arbitrary-length data, with a high degree of confidence that any alterations in the data will be reflected in alterations in the message digest. The Content-MD5 header provides an end-to-end message integrity check (MIC) of the entity body. A proxy or client may check this header for detecting accidental modification of the entity body in transit. See the following example header:

   Content-MD5: AuLb7Dp1rqtRtxz2m9kRpA==

Note that this can cause performance problems on your server since the message digest is computed on every request (the values are not cached).

Content-MD5 is only sent for documents served by the core and not by any module. For example, SSI documents, output from CGI scripts, and byte-range responses do not have this header.

Created: March 10, 2003
Revised: March 10, 2003

URL: http://webreference.com/internet/apache/chap5/3/2.html