httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 29928] New: - mod_auth isn't applying AuthAuthoratative directive
Date Tue, 06 Jul 2004 08:02:22 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29928>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=29928

mod_auth isn't applying AuthAuthoratative directive 

           Summary: mod_auth isn't applying AuthAuthoratative directive
           Product: Apache httpd-2.0
           Version: 2.0.49
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_auth
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: frank.van.gestel@philips.com


if the AuthAuthoratative directive is set to off, mod_auth should return 
DECLINED whenever authentication or authorization fails.
It seems that the routine authenticate_basic_user always returns 
HTTP_UNAUTHORIZED if no username and password is available. In my perspective, 
mod_auth should return DECLINED, and subsequent modules in the chain should 
return HTTP_UNAUTHORIZED.
In the current situation, when using mod_auth icw another module which takes 
care of authentication, mod_auth should always be placed last in chain, as else 
the other module can never supply credentials. This also means that 
authenticating/authorizing users using mod_auth with plain text files can take 
a lot of time if the previous module is slow.
proposed change :
old :
    if ((res = ap_get_basic_auth_pw(r, &sent_pw))) {
                return res;
    }
new :
    if ((res = ap_get_basic_auth_pw(r, &sent_pw))) {
        if ( (res == HTTP_UNAUTHORIZED) && !(conf->auth_authoritative) ) {
                return DECLINED;
        } else {
                return res;
        }
    }

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message