From 80db94fff6a9620fb469ee911347ed973e3f7735 Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Tue, 27 Dec 2011 19:42:03 +0100 Subject: Upstream tarball 2.2.3 --- docs/manual/mod/mod_auth_digest.html.en | 329 ++++++++++++++++++++++++++++++++ 1 file changed, 329 insertions(+) create mode 100644 docs/manual/mod/mod_auth_digest.html.en (limited to 'docs/manual/mod/mod_auth_digest.html.en') diff --git a/docs/manual/mod/mod_auth_digest.html.en b/docs/manual/mod/mod_auth_digest.html.en new file mode 100644 index 00000000..d6c676da --- /dev/null +++ b/docs/manual/mod/mod_auth_digest.html.en @@ -0,0 +1,329 @@ + + + +mod_auth_digest - Apache HTTP Server + + + + + +
+

Modules | Directives | FAQ | Glossary | Sitemap

+

Apache HTTP Server Version 2.2

+
+
<-
+
+Apache > HTTP Server > Documentation > Version 2.2 > Modules
+
+

Apache Module mod_auth_digest

+
+

Available Languages:  en  | + ko 

+
+ + + +
Description:User authentication using MD5 + Digest Authentication.
Status:Experimental
Module Identifier:auth_digest_module
Source File:mod_auth_digest.c
+

Summary

+ +

This module implements HTTP Digest Authentication. However, it + has not been extensively tested and is therefore marked + experimental.

+
+ +
top
+
+

Using Digest Authentication

+ +

Using MD5 Digest authentication is very simple. Simply set + up authentication normally, using AuthType Digest and + AuthDigestProvider + instead of the normal AuthType Basic and + AuthBasicProvider. + Then add a AuthDigestDomain directive containing at least the root + URI(s) for this protection space.

+ +

Appropriate user (text) files can be created using the + htdigest tool.

+ +

Example:

+ <Location /private/>
+ + AuthType Digest
+ AuthName "private area"
+ AuthDigestDomain /private/ http://mirror.my.dom/private2/
+
+ AuthDigestProvider file
+ AuthUserFile /web/auth/.digest_pw
+ Require valid-user
+ + </Location> +

+ +

Note

+

Digest authentication is more secure than Basic authentication, + but only works with supporting browsers. As of September 2004, major + browsers that support digest authentication include Amaya, Konqueror, MS Internet Explorer + for Mac OS X and Windows (although the Windows version fails when + used with a query string -- see "Working with MS + Internet Explorer" below for a workaround), Mozilla, + Netscape 7, Opera, and Safari. lynx does not + support digest authentication. Since digest authentication is not as + widely implemented as basic authentication, you should use it only + in environments where all users will have supporting browsers.

+
+
top
+
+

Working with MS Internet Explorer

+

The Digest authentication implementation in current Internet + Explorer for Windows implementations has known issues, namely that + GET requests with a query string are not RFC compliant. + There are a few ways to work around this issue.

+ +

+ The first way is to use POST requests instead of + GET requests to pass data to your program. This method + is the simplest approach if your application can work with this + limitation. +

+ +

Since version 2.0.51 Apache also provides a workaround in the + AuthDigestEnableQueryStringHack environment variable. + If AuthDigestEnableQueryStringHack is set for the + request, Apache will take steps to work around the MSIE bug and + remove the request URI from the digest comparison. Using this + method would look similar to the following.

+ +

Using Digest Authentication with MSIE:

+ BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On +

+ +

See the BrowserMatch + directive for more details on conditionally setting environment + variables

+
+
top
+

AuthDigestAlgorithm Directive

+ + + + + + + + +
Description:Selects the algorithm used to calculate the challenge and +response hashes in digest authentication
Syntax:AuthDigestAlgorithm MD5|MD5-sess
Default:AuthDigestAlgorithm MD5
Context:directory, .htaccess
Override:AuthConfig
Status:Experimental
Module:mod_auth_digest
+

The AuthDigestAlgorithm directive + selects the algorithm used to calculate the challenge and response + hashes.

+ +
+ MD5-sess is not correctly implemented yet. +
+ + +
+
top
+

AuthDigestDomain Directive

+ + + + + + + +
Description:URIs that are in the same protection space for digest +authentication
Syntax:AuthDigestDomain URI [URI] ...
Context:directory, .htaccess
Override:AuthConfig
Status:Experimental
Module:mod_auth_digest
+

The AuthDigestDomain directive allows + you to specify one or more URIs which are in the same protection + space (i.e. use the same realm and username/password info). + The specified URIs are prefixes; the client will assume + that all URIs "below" these are also protected by the same + username/password. The URIs may be either absolute URIs (i.e. + including a scheme, host, port, etc.) or relative URIs.

+ +

This directive should always be specified and + contain at least the (set of) root URI(s) for this space. + Omitting to do so will cause the client to send the + Authorization header for every request sent to this + server. Apart from increasing the size of the request, it may + also have a detrimental effect on performance if AuthDigestNcCheck is on.

+ +

The URIs specified can also point to different servers, in + which case clients (which understand this) will then share + username/password info across multiple servers without + prompting the user each time.

+ +
+
top
+

AuthDigestNcCheck Directive

+ + + + + + + +
Description:Enables or disables checking of the nonce-count sent by the +server
Syntax:AuthDigestNcCheck On|Off
Default:AuthDigestNcCheck Off
Context:server config
Status:Experimental
Module:mod_auth_digest
+
+ Not implemented yet. +
+ + +
+
top
+

AuthDigestNonceFormat Directive

+ + + + + + + +
Description:Determines how the nonce is generated
Syntax:AuthDigestNonceFormat format
Context:directory, .htaccess
Override:AuthConfig
Status:Experimental
Module:mod_auth_digest
+
Not implemented yet.
+ + +
+
top
+

AuthDigestNonceLifetime Directive

+ + + + + + + + +
Description:How long the server nonce is valid
Syntax:AuthDigestNonceLifetime seconds
Default:AuthDigestNonceLifetime 300
Context:directory, .htaccess
Override:AuthConfig
Status:Experimental
Module:mod_auth_digest
+

The AuthDigestNonceLifetime directive + controls how long the server nonce is valid. When the client + contacts the server using an expired nonce the server will send + back a 401 with stale=true. If seconds is + greater than 0 then it specifies the amount of time for which the + nonce is valid; this should probably never be set to less than 10 + seconds. If seconds is less than 0 then the nonce never + expires. +

+ +
+
top
+

AuthDigestProvider Directive

+ + + + + + + + +
Description:Sets the authentication provider(s) for this location
Syntax:AuthDigestProvider provider-name +[provider-name] ...
Default:AuthDigestProvider file
Context:directory, .htaccess
Override:AuthConfig
Status:Experimental
Module:mod_auth_digest
+

The AuthDigestProvider directive sets + which provider is used to authenticate the users for this location. + The default file provider is implemented + by the mod_authn_file module. Make sure + that the chosen provider module is present in the server.

+ +

See mod_authn_dbm, mod_authn_file, + and mod_authn_dbd for providers.

+ +
+
top
+

AuthDigestQop Directive

+ + + + + + + + +
Description:Determines the quality-of-protection to use in digest +authentication
Syntax:AuthDigestQop none|auth|auth-int [auth|auth-int]
Default:AuthDigestQop auth
Context:directory, .htaccess
Override:AuthConfig
Status:Experimental
Module:mod_auth_digest
+

The AuthDigestQop directive determines + the quality-of-protection to use. auth will + only do authentication (username/password); auth-int is + authentication plus integrity checking (an MD5 hash of the entity + is also computed and checked); none will cause the module + to use the old RFC-2069 digest algorithm (which does not include + integrity checking). Both auth and auth-int may + be specified, in which the case the browser will choose which of + these to use. none should only be used if the browser for + some reason does not like the challenge it receives otherwise.

+ +
+ auth-int is not implemented yet. +
+ +
+
top
+

AuthDigestShmemSize Directive

+ + + + + + + +
Description:The amount of shared memory to allocate for keeping track +of clients
Syntax:AuthDigestShmemSize size
Default:AuthDigestShmemSize 1000
Context:server config
Status:Experimental
Module:mod_auth_digest
+

The AuthDigestShmemSize directive defines + the amount of shared memory, that will be allocated at the server + startup for keeping track of clients. Note that the shared memory + segment cannot be set less than the space that is necessary for + tracking at least one client. This value is dependant on your + system. If you want to find out the exact value, you may simply + set AuthDigestShmemSize to the value of + 0 and read the error message after trying to start the + server.

+ +

The size is normally expressed in Bytes, but you + may let the number follow a K or an M to + express your value as KBytes or MBytes. For example, the following + directives are all equivalent:

+ +

+ AuthDigestShmemSize 1048576
+ AuthDigestShmemSize 1024K
+ AuthDigestShmemSize 1M +

+ +
+
+
+

Available Languages:  en  | + ko 

+
+ \ No newline at end of file -- cgit v1.2.3