Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 76922 invoked from network); 6 Jul 2004 08:01:20 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 6 Jul 2004 08:01:20 -0000 Received: (qmail 55719 invoked by uid 500); 6 Jul 2004 08:01:36 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 55655 invoked by uid 500); 6 Jul 2004 08:01:35 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Reply-To: "Apache HTTPD Bugs Notification List" Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 55616 invoked by uid 99); 6 Jul 2004 08:01:35 -0000 X-ASF-Spam-Status: No, hits=0.6 required=10.0 tests=NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [192.18.33.10] (HELO exchange.sun.com) (192.18.33.10) by apache.org (qpsmtpd/0.27.1) with SMTP; Tue, 06 Jul 2004 01:01:33 -0700 Received: (qmail 20882 invoked by uid 50); 6 Jul 2004 08:02:22 -0000 Date: 6 Jul 2004 08:02:22 -0000 Message-ID: <20040706080222.20881.qmail@nagoya.betaversion.org> From: bugzilla@apache.org To: bugs@httpd.apache.org Cc: Subject: DO NOT REPLY [Bug 29928] New: - mod_auth isn't applying AuthAuthoratative directive X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=29928 mod_auth isn't applying AuthAuthoratative directive Summary: mod_auth isn't applying AuthAuthoratative directive Product: Apache httpd-2.0 Version: 2.0.49 Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: mod_auth AssignedTo: bugs@httpd.apache.org ReportedBy: frank.van.gestel@philips.com if the AuthAuthoratative directive is set to off, mod_auth should return DECLINED whenever authentication or authorization fails. It seems that the routine authenticate_basic_user always returns HTTP_UNAUTHORIZED if no username and password is available. In my perspective, mod_auth should return DECLINED, and subsequent modules in the chain should return HTTP_UNAUTHORIZED. In the current situation, when using mod_auth icw another module which takes care of authentication, mod_auth should always be placed last in chain, as else the other module can never supply credentials. This also means that authenticating/authorizing users using mod_auth with plain text files can take a lot of time if the previous module is slow. proposed change : old : if ((res = ap_get_basic_auth_pw(r, &sent_pw))) { return res; } new : if ((res = ap_get_basic_auth_pw(r, &sent_pw))) { if ( (res == HTTP_UNAUTHORIZED) && !(conf->auth_authoritative) ) { return DECLINED; } else { return res; } } --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org