Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 78904 invoked from network); 11 May 2007 14:53:51 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 11 May 2007 14:53:51 -0000 Received: (qmail 35797 invoked by uid 500); 11 May 2007 14:53:40 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 35513 invoked by uid 500); 11 May 2007 14:53:39 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 35502 invoked by uid 99); 11 May 2007 14:53:39 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 May 2007 07:53:39 -0700 X-ASF-Spam-Status: No, hits=0.3 required=10.0 tests=MAILTO_TO_SPAM_ADDR,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of jslive@gmail.com designates 209.85.132.251 as permitted sender) Received: from [209.85.132.251] (HELO an-out-0708.google.com) (209.85.132.251) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 May 2007 07:53:32 -0700 Received: by an-out-0708.google.com with SMTP id d31so247526and for ; Fri, 11 May 2007 07:53:12 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=eHWdPOUEV6LeZMKFXsJbDlk7UVyLONblBKCnVJHe14kvvbJawH8zqHSHVXjWJk+hptT86WVQdLmYECv2aoQHJcrNFM/MBGYeN9Zyh1K+ExOKTg7UfO+BFZPS2qw60yaUMMioyT9bD+wfwmK9OFKUcy3iVUyXvq5RHUAEn/RT4g0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=NJXzxUPcI6L3MswauYJMO7Z6ku1n7coAdDN/eH2ScAWQUf+ZBDtXjCPEVxUccgOOZ40x9SizV0f5Xs47q5RIGi5jruvTnSJ/pW/SvJTCpEoIB7ShH0CdSgPn5QH3FLyD94qmXNTImamP+A/IjorGkzERzog2ZU7Ox8DI5PjAtxI= Received: by 10.100.119.14 with SMTP id r14mr2281684anc.1178895191939; Fri, 11 May 2007 07:53:11 -0700 (PDT) Received: by 10.100.254.18 with HTTP; Fri, 11 May 2007 07:53:11 -0700 (PDT) Message-ID: Date: Fri, 11 May 2007 10:53:11 -0400 From: "Joshua Slive" Sender: jslive@gmail.com To: users@httpd.apache.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-Google-Sender-Auth: 84f6d46fb2a4c63c X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] 2.2.4 Require file-group seems to forget user authentication On 5/10/07, TJB wrote: > 1) Every request for a missing file results in a request for > reauthentication. To solve this, I've added rewrite rules which check for > file existence. If a requested file doesn't exist, it rewrites the > request to an informative php script. This works well. You could also try using the ErrorDocument 404 directive to point to someplace non-authenticated. But this does appear to be a miss-feature in the mod_authz_unixgroup module. It obviously doesn't know how to determine the correct authorization info if the file doesn't exist (since it can't use the file's group info). It should have some fallback. > > 2) A request for an existing file to which the authenticated user is > not authorized results in the desired request for reauthentication and > access denial. However, when the user then returns to a file to which > s/he is authorized, s/he is again forced to reauth. It's as if the > user's login is forgotten after every step out-of-bounds. > > Is this the expected behavior for "Require file-group"? If so, can > anyone recommend a friendlier work-around? This does seem like an inherent problem of file-group. The problem is that you have areas with different authorization requirements, but they are all under the same "realm" (AuthName). The browser uses the realm to determine when it should cache and resend credentials. When you hit an unauthorized file, the browser will receive the 401 response and flush the credentials for that realm. I don't see any easy way around that. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org