Date: Tue, 25 Nov 1997 12:16:13 -0700 (MST)
From: Marc Slemko <marcs@worldgate.com>
To: new-httpd@apache.org
Subject: Re: denying access without challenging?
In-Reply-To: <347B0958.DF5F9B29@iii.co.uk>
Message-ID: <Pine.BSF.3.95q.971125121438.29626C-100000@valis.worldgate.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

But do you still want users who don't send any auth to be prompted?

If not, all you need is the appropriate ErrorDocument redirect to
something that doesn't send a 401 to the client.

If you want to distinguish between clients that do try to send some auth
and those that don't, you may be able to do it with mod_rewrite in
combination with an ErrorDocument.

On Tue, 25 Nov 1997, Michael Smith wrote:

> Greetings,
> 
> It is possible in apache to deny access to users without actually
> prompting them for a username/password.  For example, suppose I have two
> directories
> 
> foo
> in which I use require valid-user - so all users can access foo
> 
> bar
> in which I use require group barusers
> 
> Such that barusers is a subset of valid-users.  What I would ideally
> like to happen is that when a user who is not in grou barusers tries to
> access this directory, they see some message like "sorry, you don't have
> permission to look here", but don't get prompted for an alternative
> username/password first.  Using directives as I've indicated above
> results in the user being challenged.  I was thinking that maybe what I
> would need to do is to just have require valid-user in bar, but have
> RewriteRules which are conditional on the group - but I don't think that
> this is possible.
> 
> Any ideas?
> 
> Thanks
> 
> Michael
> 
>