httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Knoblauch <>
Subject RFC/RFE - Make mod_auth[_basic] optionally return HTTP_FORBIDDEN for failed login attempts
Date Fri, 28 Oct 2005 11:13:48 GMT

 I already posted this as bugzilla #37287, but someone suggested I drop
this here also.

#### From bz #37287

In order to "harden" some pages on a HTTPS server, I have deployed the
"FakeBasicAuth" method from mod_ssl. This works almost OK, but has the
annoying effect that people whose CN does not match the allowed set for
a page get the login-popup in their browser. For FakeBasicAuth this
makes no sense, as:

a) this is supposed to be an automatic process
b) the user cannot legally supply valid credentials manually anyway.

I solved this by developing the attached small patch for mod_auth. If
the new keyword "AuthTolerant" is set to "off", HTTP_FORBIDDEN is sent
instead of HTTP_UNAUTHORIZED. The default is to send HTTP_UNAUTHORIZED
as usual.

Not sure whether this is a (good) solution, but I believe it is useful
for some cases.

The patch is against 2.0.55. If the proposal is welcome, I believe it
should go into the 2.1 stream.


Martin Knoblauch
email: k n o b i AT knobisoft DOT de
View raw message