Mix Basic Auth and Shibboleth

Peter Schober peter.schober at univie.ac.at
Sun Sep 12 11:00:48 UTC 2021

* chad phillips <chad at chadphillips.org> [2021-09-12 06:03]:
> Is it possible to have an Apache directory restricted by BOTH Shibboleth
> and Basic Auth?  I would like the crawler to be able to use Basic
> Authentication, but regular users would go through Shibboleth.


An example code snippet implementing that can be found here:
That requires the HTTP Basic Auth client to "volunteer" the HTTP
Authorization header (instead of needing the server to challange the
client with HTTP 401).

But you could also base the conditonal logic on other criteria,
e.g. the IP range(s) the crawler comes from.

While it's not generally advisable (to be putting it mildly) to base
authn/authz logic on client-supplied data you might also evaluate a
custom HTTP Header (or U-A string) the crawler sends to trigger the
changed behaviour.


More information about the users mailing list