Is it possible to bypass http authentication?

[kalianto]

Hi guys,

I am sure many will agree that the http authentication is a bit annoying albeit mandatory.
I am integrating nagios core web interface with other application, and I wish I could just bypass the http authentication without setting default username in the config file.

The ideal scenario will be:
1. User is authenticated into the external application.
2. Based on the user's role, we use the "nagiosadmin" or "nagiosuser" details to login to Nagios core web interface without popping up the authentication dialog.

I have tried using AJAX, CURL, and PEAR::HTTP_Request in php but still can't prevent the dialog box from showing especially in Chrome.
Some people suggest making the server returns 403 instead of 401, or even supply custom Authorization challenge

I understand that NagiosXI is using some kind of proxy, judging by the file called coreproxy.inc (or something similar).

Has anyone succeeded in doing so without using proxy?

Thank you very much!

[abrist]

I tested the following and it works (just not in IE though):

Code: Select all

http://username:[email protected]/nagios

Note: This is the standard way of handling automatic logins for htpasswd (basic auth) protected sites.

[kalianto]

Thank you, abrist.

Code: Select all

 http://username:[email protected]/nagios 

That actually works, I can confirm it.
For IE 9, I think I use something like this in PHP to make it works.

Code: Select all

 header('P3P: CP="CAO PSA OUR"'); 

However, I forgot to mention that I am using Digest Authentication instead of Basic.
Using Digest, I have to combine my username and password with the challenge sent by the server and send it back in the header response.

With Basic authentication, my user can still see the username and password by simply right click and view page source, since I load the web interface in an iframe.

Code: Select all

<iframe src="http://username:[email protected]/nagios" ></iframe>

And, without SSL, this is a giveaway!
I have a very tight security requirements, so this solution is not applicable for me.

I am giving up

Thanks anyway.

[ruffsense]

Why don't you use NTLM authentication with AD.

[kalianto]

Hmmmmm
ruffsense, I've never thought about that.

We're moving/going to use Kerberos in the future, so might be worth investing some time in it.
I'd do some reading before I ask more questions.

[ruffsense]

Hmmmmm
ruffsense, I've never thought about that.

We're moving/going to use Kerberos in the future, so might be worth investing some time in it.
I'd do some reading before I ask more questions.

Kerberos is really old method but in my enviroment i use both.

[sreinhardt]

I'm going to lock this down since the question has been answered. Of course feel free to pm or create another topic if you wish to discuss kerberos or NTLM auth possibilities.