Just deducting from what I know of VMS and the HTTP protocol, and what I have experienced in this area (mainly by using Apache, but I know a little about OSU):
What you want to achieve is authentication by the web browser, to check wether the requestor (HTTP bowser) ahs access to the requested page (HTTP server). Since the LOCATION where the requested page resides is protected this way, the credentials will have to be checked BEFORE the reqeust is serviced at all. Since there is, AFAIK, no automated authentication in the HTTP protocol, the only way for the server to get this data is by asking the requestor.
You can always check this in the access logs. Only if credentials have been asked, the username will show up. Otherwise, requests will be "anonymous" - without a name. So proxies have no meaning here (I think). Apache will quite likely bypass them anyway: it checks validity against SYSUAF.
However: do you need this?
If ANY user that has successfully logged in into the Windows domain has access to these protected websites, I don't see the need for an extra authentication - they already did.
The case is different if there are distictions: some are allowed acecss where others are not. As said above, the default access is "anonymous" so there is no other way to get the user's credentials that just asking. Unless there have been taken measures to make this information persistent (via cookies, indeed) this will be done each new session.
Another approach is using certificates: be your own Certificate Autority and issue certificates to those that need access to the secured site. I know it can be done using Apache, it might very well be possible to do this with OSU.
Willem
Willem
Willem Grooters
OpenVMS Developer & System Manager
