Authentication through mod_auth_kerb should provide website with no user if no TGT provided

Question

Users are authenticated by mod_auth_kerb which works great. Therefore I need to set

Require valid-user

If there is no valid user Apache fails with an 401 Authorization Required. I would like Apache to deliver the website anyway but without providing a REMOTE_USER to the underlying application (python code, or php script).

This is related to How to tell mod_auth_kerb to do its job despite no "require valid-user". But with the important difference that on a whole sub directory on every URL a Kerberos negotiation should be initiated, and if it fails it should deliver the content anyway.

score 2 · Answer 1 · answered Nov 21 '12 at 16:03

There's no way to configure Apache to only "try" authenticating.

The way I would handle that is for your application to decide when to try to authenticate the client, by using a session cookie for example. If the client's session is expired, have the application redirect the client to a specific page covered by "Require valid-user" and set up an ErrorDocument that redirects back to the application in case of failure.

Authentication through mod_auth_kerb should provide website with no user if no TGT provided

1 Answers1