Check Authorization / WWW-Authenticate headers

Hi Erich,

I'm not sure if I got every detail of your explanation, but it looks like you are aiming for a simple "username" access-list/filter infront of the real server. Right?

Then you may try this code...

set userlist "foo bar"
catch HTTP::username username
if { [lsearch $userlist $username] equals -1 } then { 
    ACCESS::session remove 
    HTTP::respond 401 content "Authentication Required" \
                     "Content-Type" "text/html" \
                     "WWW-Authenticate" "Basic realm=\"[HTTP::host]\""
    return
}

BTW: If your application doesn't even send an error code 401 on allowed username but wrong passwords, then you have to provide additional information about the HTTP::response the server is sending.

Cheers, Kai