auth action implements HTTP basic authentication between the client and
auth Action contains a list of
user elements which have the following attributes:
pass="..."to define a password (required, must not be empty)
name="..."to define a username (optional, defaults to the empty string)
If the client has not sent authentication credentials, a
401 Authentication required
status is returned. In a subsequent request with credentials matching a configured
user, the action does not halt the flow.
auth action is useful to protect sites under development.
HTTP basic auth does not provide strong protection, as no encryption is used.
You should only use it on HTTPS connections. (See also
force-client-https security setting).
<auth> <user pass="top secret" /> <user name="fred" pass="wilma" /> <!-- repeated user is ignored --> <user name="fred" pass="betty" /> </auth>
Note that only the first match is evaluated if user names are repeated.
System administrators may configure auth credentials for debug logging in
fit.ini. This, too, makes use of HTTP basic auth and therefore interferes with this
action. Thus, debugging a site with an
auth action will always lead to
responses, because the client cannot send credentials for both debug and site.
You can workaround this by adding a condition to the
<flow> <auth if="not(request/debug)"> <user name="fred" pass="wilma" /> </auth> <default-request /> <parse /> </flow>
The following cases are considered fatal and will terminate the request: