httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject RFC: 2.2 vs third-party 2.0 auth modules
Date Mon, 06 Feb 2006 15:26:07 GMT
Whilst 2.2 is, as advertised, source-compatible with 2.0 auth modules, 
the current implementation requires that any auth configuration using 
such modules is changed to add "AuthBasicAuthoritative off" otherwise 
mod_auth_basic will see "no provider configured -> use default file 
provider -> fails (since no AuthUserFile is configured) -> deny access".

(the failure mode for this is particularly ugly: after an upgrade, a 
previously-working configuration turns into a 500 error with a weird 
error message logged as ap_pcfg_openfile returns APR_EBADF when passed 
the NULL filename by mod_authn_file)

There are lots of 2.0-compatible auth modules out there, and upgrades 
which require admins to make changes to .htaccess files are not very 
attractive, so I think it's worth solving this problem if possible.

Solutions I can see:

- only have mod_auth_basic be authoritative if AuthBasicProvider is 

- use some hack such that mod_auth_basic will DECLINE iff no provider is 
configured and mod_authn_file throws the AUTHN_GENERAL_ERROR.  (attached 
as proof of concept)

Any thoughts, better ideas?


View raw message