Normally client password information is not passed to contentgeneration applications like CGIs or Java Servlets. However you canconfigure certain applications to be passed this information using thePassEnvAuthorization directive in a global htaccess file, andcan be embedded in any sectioning directive.

   PassEnvAuthorization on|off   (default off)

When set to 'on', the environment data for dynamicapplications (CGIs, JServ, FastCGIs, NSAPI etc.) will contain theclient's 'Authorization:' header as'HTTP_AUTHORIZATION'. This allows the application to performits own access control. e.g.

   <Location /distributed/>   PassEnvAuthorization on   </Location>

Obviously only 'trusted' applications should be given the client'spassword information for their access control purposes. Applicationservers such as Zope and some Java Servlets require this information.

PassEnvAuthorization is a Zeus extension to the Apachespecification.

Example

The value of the Authorization: header is normally encoded in some way; RFC2617 describes common encoding methods.

The following CGI script illustrates how to decode an Authorization: header used by the Basic authentication scheme.

We need to include basicauth.cgi.txt here.

Content Manager [Administrator] 19 September 2005