auth action implements HTTP basic authentication between the client and FIT.
auth Action contains a list of
user elements which have the following attributes:
pass="..."to define a password (required, must not be empty)
name="..."to define a username (optional, defaults to the empty string)
If the client has not sent authentication credentials, a
401 Authentication required status is returned. In a subsequent request with credentials matching a configured user, the action does not halt the flow.
auth action is useful to protect sites under development.
HTTP basic auth does not provide strong protection, as no encryption is used. You should only use it on HTTPS connections. (See also
force-client-https security setting).
<auth> <user pass="top secret" /> <user name="fred" pass="wilma" /> <!-- repeated user is ignored --> <user name="fred" pass="betty" /> </auth>
Note that only the first match is evaluated if user names are repeated.
System administrators may configure auth credentials for debug logging in
fit.ini. This, too, makes use of HTTP basic auth and therefore interferes with this action. Thus, debugging a site with an
auth action will always lead to
401 responses, because the client cannot send credentials for both debug and site.
You can workaround this by adding a condition to the
<flow> <auth if="not(request/debug)"> <user name="fred" pass="wilma" /> </auth> <default-request /> <parse /> </flow>
The following cases are considered fatal and will terminate the request: