DAV ignores allow.basic.auth.login but sets cookie
Activity
Ian Boston May 17, 2008 at 6:00 PM
I am marking this as wont fix, pending a patch or more demand.
Matthew Buckett April 23, 2008 at 3:09 AM
Sorry, no. It's something that we may work on in the future but due to a change in policy we don't need it as urgently as before.
Ian Boston April 23, 2008 at 2:37 AM
Matthew,
You dont happen to have a patch (or perhaps this in incorporated by another patch ? )
Matthew Buckett October 16, 2007 at 4:40 AM
If you don't want your passwords going over a non SSL connection then you may wish to disable basic auth and only force SSL on your login tool pages? For this it would probably be better to have an option of only allow basic auth on secure connections.
If you want to force people to do some other workflow on login (accept terms / accept new announcements) then you may only wish them to use cookie/form based authentication.
Oxford Note: We need to keep people using our WebSSO solution for all browser based logins and need to generate a secondary username/password for basic auth requests (DAV, RSS, Thunderbird/iTunes) which is local to Sakai. But we don't want people logging in to the portal with this username/password.
Stephen Marquard October 16, 2007 at 3:53 AM
Is there any reason (policy, technical, security?) why one would want to disallow basic auth ?
It was initially disabled by default only because it was a new feature.
Details
Priority
MajorAffects versions
Components
Assignee
Ian BostonIan BostonReporter
Matthew BuckettMatthew Buckett
Details
Details
Priority
MajorAffects versions
Components
Assignee
Ian BostonReporter
Matthew Buckett
allow.basic.auth.login=false should prevent people from logging in to sakai with basic auth and although this works for request through the portal and access servlet DAV ignores it.
Arguably though DAV just doesn't work without basic auth so maybe this should be the case.
However DAV sets a normal cookie for it's requests so I as a user of a browser supporting cookies can go to a DAV URL, enter by username and password through basic auth and then type in the portal URL and bingo I'm logged in to the portal.