View Single Post
My consulting website is hosted on a Mac OS X Server. I use Basic Authentication to provide a protected sub-site for each client. The structure looks like this:
Each client has their own username and password. Only I can access the "clients" folder. Each client folder can be access by just the client and me (ward). I've been using this scheme for a couple of years.

Starting a couple of days ago, I began having trouble accessing "/clients/index.html". I'd either be prompted for my username + password (which OmniWeb should have found in my Keychain), or I'd get an "Authorization Required" error page.

I think I found what's happening - creating a new client folder messes up Keychain:
  1. Add the client folder to the site.
  2. Using Server Admin, add a new protected realm for the folder, allowing access by the client and me.
  3. Attempt to open the client home page (e.g., /clients/linda/index.html). Although I have already authenticated at the "/clients" level, OmniWeb prompts me for a username + password.
  4. Although I've never really understood why my authorization at the "/clients" level doesn't automatically give me access to the individual client folders, I'm forced to respond. My practice has been to enter the client's username + password - this validates the setup I did in Server Admin, and it records the client username and password in my Keychain.
At this point, I can see the new client home page.

All seems fine until I attempt to open "/clients/index.html" ... the "Authorization Required" error page appears.

In Keychain Access, I see that the most recent keychain entry looks like this:
Kind: Internet password
Account: ward
Comments: default
Show password: linda's password
This entry has two problems:
  • "Where" is the root of my site.
  • My account name is matched with the new client's password.
Two things happened about the time I first noticed the symptoms of this problem:
  • I upgraded to OmniWeb 5.7 beta 2.
  • I added a couple of new client folders.
So I'm not sure whether to point the bug finder at OmniWeb or Keychain (which may have been updated when I upgraded to 10.5.2 several weeks ago).

[submitted as formal feedback]