CiviCRM does not work with Restricting Access with HTTP Basic Authentication

Heya Tim,

Can you provide:

• Screenshot(s)
• Error log(s)
• syslog(s)

To help further investigate?

I use this mechanism to password protect  my Webmin installation.  In my experience, HTTP Basic Authentication does not usually interfere with the website it is protecting.  

But it does require a correct configuration in a few places:

1. Web server
2. File system
3. File contents
4. Correct linkage/permissions of password file

In the absence of more diagnostics, tough to say much more.  The error logs of the above (sub)systems would be most helpful.

g.
----

Check the settings at /civicrm/admin/setting/authx?reset=1.

I can't recall which one to change. It might be "Acceptable credentials (HTTP Session Login)". Remove "User Password" from the list (again I'm not totally sure but that's probably the one).

Hello herb,

I am working on this site with Tim Erickson (stpaultim).

Thanks for the suggestion! I was able to solve the problem by removing everything from the "Acceptable credentials (HTTP Header)" field instead of just the "User Password." After doing this, CiviCRM started working as expected with HTTP Basic Authentication.

However, I'm not sure if this solution is secure. Could anyone confirm whether this approach introduces any security concerns? I want to make sure the site remains properly protected while using HTTP Basic Authentication. Any insights would be greatly appreciated!

On our sites with Basic Auth we haven't needed to remove them all. That being said removing them all doesn't make it less secure. Instead, it means no authentication means will be accepted in the header. See https://docs.civicrm.org/dev/en/latest/framework/authx/.

These authentication settings are used for REST calls from other applications. You probably aren't doing any REST calls if you haven't encountered these settings yet.