1.1 --- a/docs/Webware/NOTES.txt Sun Feb 08 21:42:21 2004 +0000
1.2 +++ b/docs/Webware/NOTES.txt Sun Feb 08 21:42:26 2004 +0000
1.3 @@ -7,6 +7,35 @@
1.4
1.5 --------
1.6
1.7 +Authentication/authorisation in Webware:
1.8 +
1.9 +Since Webware provides some kind of CGI emulation environment, the actual HTTP
1.10 +headers involved with authentication/authorisation are not available to the
1.11 +WebStack transaction. Therefore, WebStack depends on Webware having access to
1.12 +the REMOTE_USER environment variable set by the Web server, and with Apache,
1.13 +this variable is only ever set when Apache itself has performed
1.14 +authentication. Whilst applications can send the "WWW-Authenticate" header to
1.15 +HTTP clients, unless Apache has been instructed to process the resulting
1.16 +username/password information, the REMOTE_USER will apparently remain
1.17 +undefined.
1.18 +
1.19 +Consequently, it is recommended that the following kind of definition is added
1.20 +to httpd.conf (for Apache) in order to give applications access to
1.21 +username/password details:
1.22 +
1.23 +<Location "/webkit/auth">
1.24 + AuthType Basic
1.25 + AuthName "AuthResource"
1.26 + AuthUserFile /usr/local/apache2/conf/users
1.27 + require valid-user
1.28 +</Location>
1.29 +
1.30 +The details of the application's deployment, including the exact pathname of
1.31 +the users file and the appropriate access policy, must obviously be defined
1.32 +according to the actual application concerned.
1.33 +
1.34 +--------
1.35 +
1.36 For Webware releases beyond 0.8.1:
1.37
1.38 WebStack applications are supported as contexts within WebKit, meaning that a