Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Message-Id: <5.1.0.14.0.20020522133827.052d37a0@mail.tccgi.com>
Date: Wed, 22 May 2002 14:06:46 -0400
To: dev@httpd.apache.org
From: Andrew Mann <amann@crosslink.net>
Subject: Authentication requirement
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed

httpd2.0.35
server/protocol.c

         Is there any reason why ap_get_basic_auth_pw() rejects 
authentication itself if the client provides no Auth line?  I can see a 
theoretical reason, but it seems to me that the practical reasons not to do 
this would outweigh that.  If I specify a module or set of modules to 
handle authentication, why is the base server getting involved in the 
decision at all?

Line 1081:
     if (!auth_line) {
         ap_note_basic_auth_failure(r);
         return HTTP_UNAUTHORIZED;
     }

         I use a hack currently that changes the above rejection to fill in 
auth fields with 0 length strings and presume Basic type.  It's probably 
not the right way to do things, but it seems to have the least chance of 
breaking any existing modules (unless someone actually uses a blank 
login/password).
         I'm using a module that controls access to directories and 
files.  It doesn't always require a login/password, but for some 
files/directories it does.  It uses a database to determine what kind of 
credentials are needed to access any given resource.  Naturally there's a 
problem if the resource shouldn't require a login/password, but the module 
isn't even being prompted for that, instead the Apache server is rejecting 
it immediately.
         Am I missing some straightforward way to avoid this without 
altering the code?  Is there any reason why an auth module can't be passed 
every request in it's "domain" regardless of how seemingly obvious it is 
that the request will fail?


Andrew Mann