Hi all, I have just tried out md5 digest authentication and ran into a problem. Using Mozilla or Internet Explorer I was successful to log into the site, however using Opera (6.0.x or 7.0) or Konqueror I was not. Konqui just said login had failed, Opera claimed it had denied to send username and password since the domain of the auth requirement didn't match the URL I had requested for (This was not the exact message but really comes quite close). Following there is the section from httpd.conf regarding the (to be) password protected area: Alias /intern d:/stuff/htdocs <Directory "d:/stuff/htdocs/milestone2/jBOSSstuff/en"> AuthType Digest AuthName "testingDgst" AuthDigestFile d:/Programme/Apache-1.3.27/conf/digest.pwd Require user onlyme </Directory> This is the URL to be requested: /intern/milestone2/jBOSSstuff/en/index.html As you can see - this is a Windows machine (NT in my case). From Konqueror's debug output I could read the following (mind the domain): ... "HTTP/1.1 401 Authorization Required" "Date: Mon, 10 Feb 2003 16:47:24 GMT" "Server: Apache/1.3.27 (Win32) PHP/4.0.5" "WWW-Authenticate: Digest realm="testingDgst", nonce="...", algorithm=MD5, domain="d:/stuff/htdocs/milestone2/jBOSSstuff/en", qop="auth"" ... As you can see, Apache exposes the file system path of the protected directory. Of course it doesn't match the URL one requests when clicking on a link, so I understand why Opera complains. Besides I do not really want filesystem paths to be visible outside. If I use the following configuration in httpd.conf everything works fine: Alias /intern d:/stuff/htdocs <Location "/intern/milestone2/jBOSSstuff/en"> AuthType Digest AuthName "testingDgst" AuthDigestFile d:/Programme/Apache-1.3.27/conf/digest.pwd Require user onlyme </Location> Konqueror will then have the following in its debug output: HTTP/1.1 401 Authorization Required" "Date: Mon, 10 Feb 2003 16:47:24 GMT" "Server: Apache/1.3.27 (Win32) PHP/4.0.5" "WWW-Authenticate: Digest realm="testingDgst", nonce="...", algorithm=MD5, domain="/intern/milestone2/jBOSSstuff/en", qop="auth"" I hope someone could get the digest authentication to work together with the Directory directive. Thanks in advance, Andreas Leuner
Well, it's a bug in the code that guesses the domain parameter. It relies on having unix paths (starting with slash). You can work around it by using the AuthDigestDomain directive explicitely. (You should always use the AuthDigestDomain directive anyway) It's fixed in 2.1 and proposed for backport. Thanks for the report and thanks for using Apache!
Misfortunately the AuthDigestDomain directive is not recognized by Apache 1.3.x (only version 2.0.x) I have also experimented a bit. I have now a Linux Apache 1.3.27 (compiled from source) running. Authorisation works with configurations equivalent to both described configs in my original message. However there seems to be no domain parameter at all in the 401 response here (both configurations). I don't know if one has to be there - so I can live with my result. Maybe you could take this as a feature request ;-) Bye, Andreas Leuner
oh, it seems, we're talking about two different things. There are two modules in 1.3 for digest authentication, mod_digest (deprecated) and the newer mod_auth_digest. The latter recognizes the AuthDigestDomain directive and creates the described error (in Directory containers and if not set). I'd guess you have installed good ol' mod_digest under Linux, where the domain parameter will not be composed at all.
argh, you're right. I remember that I explicitly took mod_auth_digest for the windows server. I must have slept when I set up Apache for Linux. I will try mod_auth_digest ASAP.
Now I got it. I have recompiled my Apache including mod_digest_auth. Regarding the domain parameter the Linux version behaves wrong similar to the windows version. If I use the <Directory> directive to configure the authentication the domain parameter in the 401 response will be an _empty_ string. This confuses at least Konqueror which keeps on loading forever. If I use <Location>, that parameter will have the correct value. Using the AuthDigestDomain directive indeed makes both <Directory> and <Location> work (thanks for the correction). Thanks for your help, Andreas Leuner
Well, I changed the fix by removing the domain guessing code entirely. Guessing here seems totally bogus to me. (aside from the broken guessing code anyway). The effect is then, if no AuthDigestDomain is specified, the domain attribute will be omitted (which is the same as AuthDigestDomain /). If nobody vetoes the change, it will hopefully be backported. Thanks again.
Fix will be available in the next release (1.3.28).