lwp and realms

BernieC has asked for the wisdom of the Perl Monks concerning the following question:

I've done cgi programming for a lot of years and occasionally messed with our apache config and I've never heard the term 'realm' before . i see that it is part of the htaccess auth config on the server but that doesn't help if i don't have access to the server.

I've read through the various threads about it and i've ended up more confused than i started. this:

    <form method="post" action="https://panel.dreamhost.com/index.cgi"
+ class="login-form form-default js-login-form">
        <fieldset class="login-standard js-login-standard">
            <div class="form-row floating-label">
                <input type="text" name="username" id="username" place
+holder="Email" class="js-login-username" required autofocus />
                <label for="email">Email</label>
            </div>
            <div class="form-row floating-label">
                <input type="password" name="password" id="password" a
+utocomplete="off" placeholder="Password" required />
                <label for="password">Password</label>
            </div>
[download]

is the only info i have access to. it's there something in the HTML that feels me the realm to use? if not, where does it hide? thanks /bernie\

Comment on lwp and realms Download Code

Replies are listed 'Best First'.
Re: lwp and realms by haj (Vicar) on Jul 24, 2018 at 08:53 UTC
For authentication based on a HTML form with username and password, Apache is not involved and its realm is irrelevant. The application handles the authentication by itself and has its own user repository. An application can delegate authentication to the web server, which does it on the HTTP protocol level. In that case you use the realm to distinguish different applications running on the same server from each other, each having their own user/password repository. The browser pops up an authentication form (no HTML involved) and uses the realm to tell the user to which application he's about to authenticate himself. The current RFC 7235 describes the realm as a "protection space". I don't see this often these days, with the notable exception of web servers which in turn delegate authentication to a central service, for example for single-sign-on in intranets, where Apache uses mod_ntlm or mod_auth_kerb to let a Windows AD controller do the authentication	[reply]
Re: lwp and realms by hippo (Archbishop) on Jul 23, 2018 at 21:15 UTC
it's there something in the HTML that feels me the realm to use? Not in the HTML but in the HTTP. For example, try this: `HEAD https://pause.perl.org/pause/authenquery < /dev/null` [download] and you will see the `WWW-Authenticate:` response header which includes the realm.	[reply] [d/l] [select]
Re: lwp and realms by BernieC (Pilgrim) on Jul 23, 2018 at 19:54 UTC
i think I'll just try "submitting" the form {with a hidden field i omitted above} and see what happens. i should get two things back if it works: the HTML of their "dashboard" and a cookie or two that'll let me in for subsequent GETs /b\	[reply]