That standard states:
if the client request required authentication for external access, then the server MUST set the value of this variable from the 'auth-scheme' token in the request Authorization header field. However, you are configuring Apache to NOT authenticate and therefore Apache CANNOT provide those headers. It never asked for them, and has no knowledge of any authentication you are requiring in the CGI script. At this point, the 'authenticating server` is your CGI script. Also, keep in mind it also provides this disclaimer: This document is not a candidate for any level of Internet Standard. The IETF disclaims any knowledge of the fitness of this document for any purpose, and in particular notes that it has not had IETF review for such things as security, congestion control or inappropriate interaction with deployed protocols. The RFC Editor has chosen to publish this document at its discretion. Readers of this document should exercise caution in evaluating its value for implementation and deployment. On Sun, Mar 1, 2020 at 11:33 AM Roderick <hru...@gmail.com> wrote: > > I do not want apache "doing basic auth". I want to do it in the > cgi script myself, and as I understand RFC3875, the headers in > question should be passed for that purpose. > > Thanks anyway > Rodrigo > > > On Sun, 1 Mar 2020, Eric Covener wrote: > > > If Apache isn't doing basic auth, it can't supply REMOTE_USER to you, > > because it hasn't authenticated anyone. Similar for AUTH_TYPE -- the > > server hasn't done any auth. > > Authorization isn't passed by default intentionally as a typical CGI > > has no business w/ the users credentials. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Jonathon Koyle
