httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Knoblauch <>
Subject Re: [users@httpd] How to prevent AuthBasic login pop-up after first failed login attempt
Date Thu, 13 Oct 2005 15:02:12 GMT
--- Joshua Slive <> wrote:

> On 10/13/05, Martin Knoblauch <> wrote:
> > Hi,
> >
> >  for a secured webserver, I have the following setup/requirements
> >
> > a) HTTPS access only
> > b) Clients need certificate
> > c) for different parts of the site, I want to restrict access to
> > certain certificates.
> >
> >  a) and b) work great. c) works mostly. I am using the SSLOption
> > "FakeBasicAuth" to extract the DN from the certificate and check
> them
> > against a htpasswd file. This works as expected when one of the
> > "valid-users" is trying to request the page. If one with a valid
> > certificate, but nonmatching DN comes along he is not let in (GOOD
> !!),
> > but gets the log in pop-up (BAD !!). In that case I would like to
> > immediately send the "forbidden" response. Is than possible at all?
> This is just a guess, since I have never used FakeBasicAuth, but you
> might try
> ErrorDocument 401
> This will probably generate a warning in the error_log, since 401
> error documents aren't supposed to be absolute URLs.  But in this
> case, the effect of hiding the 401 status code is exactly what you
> want, so you can ignore the warning.
> Joshua.

 Sorry, but does not help. On startup httpd tells me that
ErrorDocuments cannot be URL's (notice level) and the behaviour stays
the same.

 Looking a bit more on this I would say that instead of sending 401, I
want to send 403 in the described case.

 I just found a kind of very ugly workaround. If I add:

AuthAuthoritative   Off

 to the section, the server will reply with 500. Not sure whether this
is just a "feature", but it solves the reapearing pop-up problem.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message