Forum Discussion

Eric_Kolb_27656's avatar
Eric_Kolb_27656
Icon for Nimbostratus rankNimbostratus
Apr 02, 2012

Configuring an HTTP Basic AAA Server

While most of our web applications have moved to using our Active Directory user store, we have a few legacy applications for a class of non-corporate users that need their own SSO profile. We've created a one-page web application to serve as the AAA server to manually compare submitted credentials against what's in the database, and we're trying to set this up as an HTTP/Basic AAA server.

 

 

The problem that we're encountering is that the service always returns that the auth passed, even when submitting a false or no password.

 

 

The logic of the page looks a little something like this:

 

 

if credentials were submitted...

 

if the username is not alphanumeric... status code 401 & exit.

 

if the username does not exist or is inactive... status code 401 & exit

 

if the password does not match the expected... status code 401 & exit

 

if the bad login attempt count >= 3... status code 401 & exit

 

otherwise... return welcome message & exit

 

otherwise... status code 401 & exit

 

 

When we return the status code 401, we're sending our generic error message with the status code as well as displaying it in the message content. This is along with the WWW-Authenticate: Basic header.

 

 

I'm not finding any documentation on building a service to this purpose, so any advice in getting this off the ground would be appreciated.

3 Replies

  • Nevermind, got it with enough tinkering. Any body content in the response is interpreted as a success.
  • Having a similar issue - you're saying any body content in the response is interpreted as a success -- does this mean that the "Successful Logon Detection Match Value" field does nothing?
  • I've never seen any real benefit or effect from Successful Logon Detection Match Value myself.