RE: Pulling up instructions for authentication

> From: Espen Lyngaas [SMTP:Espen.Lyngaas@colorline.no]
>
> If I understand the sequence of events correctly, Squid works something
> like this:
> ...
> 1) Squid receives a request for a url from a browser
> 2) Squid's acl config hits the url as one that requires authentication
        4) Squid authenticates

        And the authentication supplied with the request is not
        correct. (else go to step 5)

> 3) Squid sends out the http code to bring up the dialog box in the browser
>
        Together with a web page explaining the reason for
        not directly replying with the requested page.

        The user keys the authentication data into the browser.
        The browser resends the request with the authentication
        data attached.

        Continue from step 1.
         
> 5) Squid gets the url
> ...
>
> Is it possible to get Squid to somehow send out an html doc just after
> step
> 2, containing instructions on what to type into the dialog box that just
> appeared on your screen in step 3?
>
        It is required to do so by the HTTP standards, although most
        browsers will only show this information after three failed
        attemps or the authentication dialogue is cancelled.

        It cannot force a page to be displayed in the meantime.

> Once you've been authenticated, the instructions page would be replaced by
>
> the contents of the url you requested.
>
        When the browser re-requests with the correct authentication,
        anything displayed by the browser will be replaced by the
        returned page. Generally it is the browser's authentication prompt
        that will be replaced - I know of no browser that displays the
        underlying HTML before a failure. (Note that it is possible that
        IE5, in its, misnamed, friendly errors mode, will never display the
        original web page.)

        The skeleton text for the web page is in
        ..../etc/errors/ERR_CACHE_ACCESS_DENIED

        Note that the original challenge from the proxy should contain
        a string which will be displayed in the dialogue box by any
        competent browser, to indicate the resource to which the challenge
        applies (probably the whole proxy server in this case).
        As far as I can tell, it is the job of the external authenticator
        program to generate all this information.

        NB I am generalising from documentation and origin server based
        authentication; I don't use proxy authentication. It is conceivable
        that the wrong HTML is sent.

        Overall, squid is constrained by the protocol and your browser, and
        how the browser is configured.
Received on Fri Oct 29 1999 - 10:58:49 MDT