Configuring an HTTP Basic AAA Server
While most of our web applications have moved to using our Active Directory user store, we have a few legacy applications for a class of non-corporate users that need their own SSO profile. We've created a one-page web application to serve as the AAA server to manually compare submitted credentials against what's in the database, and we're trying to set this up as an HTTP/Basic AAA server.
The problem that we're encountering is that the service always returns that the auth passed, even when submitting a false or no password.
The logic of the page looks a little something like this:
if credentials were submitted...
if the username is not alphanumeric... status code 401 & exit.
if the username does not exist or is inactive... status code 401 & exit
if the password does not match the expected... status code 401 & exit
if the bad login attempt count >= 3... status code 401 & exit
otherwise... return welcome message & exit
otherwise... status code 401 & exit
When we return the status code 401, we're sending our generic error message with the status code as well as displaying it in the message content. This is along with the WWW-Authenticate: Basic header.
I'm not finding any documentation on building a service to this purpose, so any advice in getting this off the ground would be appreciated.