Add 'Only force authentication on the following restricted pages' setting

I think what we need is something less than forced authentication. An optional HTTP authentication that would show the anonymous user version of the page if the user cancels the authentication dialog. It might be best to have a separate tab on the settings page for this.

I lost most of the work I did on this, but here is a patch of what I could save.

#2: Maybe that can be useful as well, but SecureSite for D5 used to offer exactly what naquah described in the OP, and this is must-have functionality in my book.

If a feed is protected, then every access by every feed reader causes a watchdog 'access denied' entry, which is a royal pain. There is no "anonymous user version" of those pages — only the 'access denied' page and the watchdog entry.

And, just like naquah, I'd like to get the login dialog only for feed paths and keep the Drupal log-in form for all other accesses to protected pages.

Using forced authentication on the feed pages allows the smart feed readers to access, and it keeps the dumb ones out of the site and out of the watchdog log. Exactly what we need for this use case. Maybe that code is still in 6.x-1.x?

Being able to trigger authentication (like httpauth's ?authenticate parameter for feeds that show more items if authenticated) would be a nice plus, but it's above and beyond the basic request in the OP.

I think there is a misunderstanding here. You can already enable HTTP authentication without forcing it. There was a bug in the update from Drupal 5 to Drupal 6 that kept settings from being properly transferred, so check your Secure Site settings page.

(Argh, I shouldn't have written that last paragraph in #4 — it distracted from my message. Please ignore it!)

We do need the ability to specify which paths trigger http authentication, and which get a normal drupal 403. My use case is the same as salvis'. I have a site where no content is available to non logged in users. So login will be needed in all cases.

I need the normal drupal login form to appear in most cases (it has been customised and hooked by other modules for my site).

However, for RSS readers, I want the http basic authentication, as this is the only thing that they understand. I would love to be able to trigger this great module only on these URLS.

I don't think either of you studied my patch. I was working on exactly what you are asking for, plus the ability to show the non-logged in version of a page if HTTP authentication is canceled. Haven't had time to work on it since.

Darren, your patch isn't completely functional, is it? I see the HTTP authentication pages page, but it's empty other than the Save configuration and Reset to defaults buttons. This is the last issue I have to solve to complete my D6 upgrade. My entire site is password protected, and I only need to have a RSS podcast feed to use http auth so that people can subscribe to it in iTunes. Can I manually set the path I want in the database somewhere, or in one of the module files? I'm no PHP or MySQL expert, but I'm comfortable updating code if given a patch. Thanks in advance.

That's correct. If my patch were complete I would simply have committed it. I posted it here to help anyone who wants to work on the issue.

+1 for this feature.... I need to restrict pages only for certain paths. I used to be able to do this in the 5.x version of the module and it was my primary reason for using the module. I'd love to see this feature brought back.

Cheers,
Ben

I agree; the ability to secure only certain paths is critical. There is even an option that says "Force authentication: On restricted pages", but I can't find anywhere to specify which pages should be restricted.

Also, there ought to be the inverse: "Force authentication: On all pages except for..." with the ability to list certain URLs that do not require authentication (/cron.php, for example).