DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29928>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=29928
mod_auth isn't applying AuthAuthoratative directive
Summary: mod_auth isn't applying AuthAuthoratative directive
Product: Apache httpd-2.0
Version: 2.0.49
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Other
Component: mod_auth
AssignedTo: bugs@httpd.apache.org
ReportedBy: frank.van.gestel@philips.com
if the AuthAuthoratative directive is set to off, mod_auth should return
DECLINED whenever authentication or authorization fails.
It seems that the routine authenticate_basic_user always returns
HTTP_UNAUTHORIZED if no username and password is available. In my perspective,
mod_auth should return DECLINED, and subsequent modules in the chain should
return HTTP_UNAUTHORIZED.
In the current situation, when using mod_auth icw another module which takes
care of authentication, mod_auth should always be placed last in chain, as else
the other module can never supply credentials. This also means that
authenticating/authorizing users using mod_auth with plain text files can take
a lot of time if the previous module is slow.
proposed change :
old :
if ((res = ap_get_basic_auth_pw(r, &sent_pw))) {
return res;
}
new :
if ((res = ap_get_basic_auth_pw(r, &sent_pw))) {
if ( (res == HTTP_UNAUTHORIZED) && !(conf->auth_authoritative) ) {
return DECLINED;
} else {
return res;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
|