httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] 2.2.4 Require file-group seems to forget user authentication
Date Fri, 11 May 2007 14:53:11 GMT
On 5/10/07, TJB <tjb00000@gmail.com> wrote:

> 1) Every request for a missing file results in a request for
> reauthentication. To solve this, I've added rewrite rules which check for
> file existence. If a requested file doesn't exist, it rewrites the
> request to an informative php script.  This works well.

You could also try using the ErrorDocument 404 directive to point to
someplace non-authenticated. But this does appear to be a miss-feature
in the mod_authz_unixgroup module. It obviously doesn't know how to
determine the correct authorization info if the file doesn't exist
(since it can't use the file's group info). It should have some
fallback.

>
> 2) A request for an existing file to which the authenticated user is
> not authorized results in the desired request for reauthentication and
> access denial.  However, when the user then returns to a file to which
> s/he is authorized, s/he is again forced to reauth.  It's as if the
> user's login is forgotten after every step out-of-bounds.
>
> Is this the expected behavior for "Require file-group"?  If so, can
> anyone recommend a friendlier work-around?

This does seem like an inherent problem of file-group. The problem is
that you have areas with different authorization requirements, but
they are all under the same "realm" (AuthName). The browser uses the
realm to determine when it should cache and resend credentials. When
you hit an unauthorized file, the browser will receive the 401
response and flush the credentials for that realm. I don't see any
easy way around that.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message