7 May 2012 11:49
Re: eXist as a proxy from Lighttpd - digest based authentication - UPDATE
badbetty <bch <at> shroggslodge.freeserve.co.uk>
2012-05-07 09:49:25 GMT
2012-05-07 09:49:25 GMT
As I have documented, I have Lighttpd configured to apply DIGEST (not BASIC) authentication when it processes a url that contains /apps/. This works correctly; no problems at all and a http authorization header is created as a result of a successful authorization, or 'unauthorized' is returned. If I now switch on the Lighttpd proxy to pass any url with /apps/ to eXist (in standalone or webapp configuration, but i am using standalone for now), Lighttpd correctly applies the authorization check as above, and then correctly proxys the request to eXist to handle as far as i can tell. At this point there are 2 observations: 1) if i have a controller.xql in the eXist that traps the proxy request and handles it all itself (i.e. no rewrite or passing on to other servlets etc) by directly returning some xml (even xml obtained from a database collection [ using xmldb:///] ), then there are no problems at all! 2) if the controller applies a url rewrite, or just passes a request on e.g. to a retrieve resource in the db collection, then another authentication check is issued with the realm 'exist' (i presume this is coming from jetty ?? as no records in Lighttpd logs) and no matter what is entered, an endless authentication loop is created between Lighttpd and eXist it seems. 3) based on the above, it appears to me that when a servlet is fired up AFTER the controller, there are authorization checks being applied (using BASIC authentication, or whatever is default). any one, please, Is there a way to 'turn off. Jetty/eXist authorization/security checking just so i can test with everything open as it were ? thank you Chris nb: as an aside, i have emailed Dannes Wessels direct on this in desperation! I thought I might post here for the benefit of others too. -- View this message in context: http://exist.2174344.n4.nabble.com/eXist-as-a-proxy-from-Lighttpd-digest-based-authentication-tp4600788p4614420.html Sent from the exist-open mailing list archive at Nabble.com. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
RSS Feed