I have HTTPD configured with
<Directory "/u/mqweb3/htdocs">
SAFRunAs %%CLIENT%%
AuthName colinrealm
AuthBasicProvider saf
Require saf-user ADCDA
Require saf-user COLIN
Require saf-group SYS1
</Directory>
The doc says
This directive sets the name of the authorization realm for a directory. This realm is given to the client so that the user knows which username and password to send.
When I try to signon I get a pop up
Sign in
http:10.1.1.28833
Your connection to this site is not private
Username...
Password
Cancel .. Sign in
I do not see the authname in any flows from the server.
https://stackoverflow.com/questions/36064642/how-can-i-make-sure-authname-works-in-all-browserssays
The AuthName directive sets the realm parameter in the corresponding header, something like:
WWW-Authenticate: Basic realm="HELLO WORLD"
I found a Chromium ticket from October 2015 that reports a man in the middle attack related to HTTP authentication: Issue 544244 - HTTP basic auth credentials prompt should make the origin stand out more. During the discussion it was pointed out that text in realm can not be trusted and can be used in phishing attacks to trick users into revealing passwords to third-parties. I'm not a security expert but I understand that a proxy can inject headers -and usually does- thus the issue.
Apparent, the realm was removed form the authentication dialogue as a result of this and changes were eventually ported to Chrome. You can see the Do not show untrustworthy strings in the basic auth dialog code review for further details.
------------------------------
Colin Paice
------------------------------