On 05 May 2014, at 08:22, Dariush Forouher <dariush(a)forouher.de> wrote:
using apache basic_auth on my webserver that runs Davical and
While caldavzap doesn't seem to be negatively affected by basic_auth,
unfortunately it doesn't take advantage of it either. In theory it could
skip the login screen and jump right into the calendar. Instead one has
to enter his credentials again.
no, basic auth is not related to "fast login" or anything similar. Basic auth
authentication where your username and password is send in the request
header without encryption. Another authentication is the Digest auth which
uses multiple request/responses and sends your password in hashed form.
Yes, I'm using Basic Auth over TLS:
AuthName "My secret area"
You're right, it doesn't offer anything like "fast login" (the user
still has to enter her password, just in a popup window presented by the
What Basic Auth *does* offer is a simple way to achieve single-sign-on
across wildly different web applications, as the browser will cache the
credentials during its runtime.
You are partially right :-) ... the problem is that this approach works well
needs to send username+password directly in the request, then it simply
needs to know the username/password (and it cannot read these from the
browser /there is no API for that/).
"/auth/" shows that caldavzap correctly receives username/password from
the webserver (even when not "logged in" in caldavzap).
No, the auth module cannot return the username/password if you are not
logged in. You very probably entered your username + password into
the browser authentication window and saved them. Then if you open
the /auth/ URL your browser sends the username + password automatically.
a way to make caldavzap (and *mate) to skip the login-screen in
such a setup?
It looks like you don't understand the reason why the auth module exists.
The MAIN reason is to prevent the browser to show the auth popup if you
enter invalid username/password into the login windows (because this problem
Yeah, the concept of the auth module is a bit fuzzy to me, and maybe it
doesn't have anything to do with what I try to achieve (i.e., make
caldavzap somehow acquire the credentials provided by the browser).
How I understand caldavzap is that it is running partially as PHP on the
server and partially in the browser as JS. I don't have much experience
with JS-based apps like this. Old-school web applications like PHP-based
ones could easily be modified to make use of the PHP_AUTH_* variables so
that they would skip their login-screen.
if it sends the username+password directly to the *DAV server and these
credentials are invalid, then your browser shows the auth popup window
(because it handles the WWW-Authenticate: response header) what breaks
the consistency of the GUI. There are 2 possible solutions for this problem:
1.) do no send the "WWW-Authenticate:" header if the client is CardDavMATE
or CalDavZAP (X-Client header) ... this approach requires changes on server side
2.) create a "proxy" module, which sends username+password to the
*DAV server and if the authentication is unsuccessful it NOT returns the
"WWW-Authenticate:" header back to the client (=> no auth popup); the
login process (only the login process) then looks like:
Client => Auth module => Server
I'd like to do the same with caldavzap. As caldavzap seems to run
primarily as JS in the browser, it obviously doesn't have access to the
PHP_AUTH_* environment variables. I just wonder whether you might know a
way to make this work regardless.
As I mentioned earlier there is no way to get the username/password from
you there is no principal URL => it will not work.
What you can try is:
1.) use the globalAccountSettings option with empty ('') username+password and
href option set to principal URL with invalid user part (such as "xxx") and then
rewrite rules on server side and replace the "xxx" username (from the auth
before the request reaches the *DAV server
2.) change the source code and perform the request to the auth module without
requiring click to the "Login" button. The reason why there is no such option is
I really hate it, because of the stupid implementation of the basic auth by browsers
(there is no way to logout without browser restart)