[mythtv] Simple MythWeb hack...help needed
Bill Williamson
bill at bbqninja.com
Thu Nov 15 23:58:50 UTC 2007
On 11/16/07, Michael Tiller <michael.tiller at gmail.com> wrote:
> On Nov 15, 2007 6:39 PM, Mark Rafn <dagon at dagon.net> wrote:
>
> > On Thu, 15 Nov 2007, Michael Tiller wrote:
> >
> >
> >
> > The module handles authentication, not authorization. But Apache handles
> > both, using the module for authentication and it's own rules for
> > authorization. Mythweb shouldn't care, unless it wants different
> > preferences per user or something.
>
> Yes, I was thinking the same thing...
>
> > Can you just add
> > require valid-user
>
> That by itself doesn't work. It says I need to specify AuthType. But I
> have not idea what to set it to. If I set it to "Basic", it prompts me for
> a password. So if you know what I need to put there, that would be great.
>
> > Oh, and don't forget to force SSL-only connections for mythweb if you're
> > making it externally accessible. Otherwise your openid authentication
> > token can be stolen.
>
> Hmmm...is that really true? My OpenID provider is VeriSign and I'm pretty
> sure they only allow https for requests.
Yes. The final step in OpenID (or most other SSO schemes) is a
redirect back to your site with a token. If YOUR site is not SSL,
then you are vulnerable to MITM attacks.
More information about the mythtv-dev
mailing list