Is there a way to switch the authentication process to use https, but then go back to http to serve the actual resource?
What I would like to do is have the site use http by default, but use https if there is an ACL on a resource that requires the user to send userid/password. I have basic authentication working with Active Directory now thanks to this board, but need to secure the wire to client.
You can't do that with basic or digest HTTP authentication. With HTTP authentication, the credentials are sent on every request. There's no way to protect the credentials in the request using SSL without using SSL for the response as well.
When using HTTP authentication, your best bet would be to designate part of the site as secure. That part of the site would use SSL and could require authentication with ACLs. For example, you could add the following below the <Object name="default"> line in obj.conf to require that all accesses to the /secure directory use SSL:<Client security="false">
NameTrans fn="redirect" from="/secure" url-prefix="https://example.com/secure"
</Client>
