httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <>
Subject Re: [users@httpd] A couple of questions about mod_authz_ldap
Date Thu, 07 May 2009 20:02:58 GMT
On Wed, 2009-05-06 at 00:21 -0400, Edward Ned Harvey wrote:
> I have mod_authnz_ldap_module loaded and working properly.  Users can
> login and navigate to pages where they are granted "Require User" but
> when the user navigates to a page where they have no access, it
> prompts them again to login, and just keeps prompting for username &
> password again.  I would prefer to have an error message, "Access
> Denied" instead of prompting again for username & pass.
> Is this an obvious situation to somebody here?  Should I provide more
> details?  Should I post the question someplace else?
> Thanks for your help...

Apache already does this, but your browser does not display it.

Strictly speaking, apache never prompts a user to login, it simply
informs them, via a 403 response, that authorisation is required. Your
browser then interprets this as a request to prompt you for
authorisation credentials, which it then resubmits. The RFC is telling
on this point, and most browsers ignore it (important sentence starred):

        10.4.2 401 Unauthorized
        The request requires user authentication. The response MUST
        include a WWW-Authenticate header field (section 14.47)
        containing a challenge applicable to the requested resource. The
        client MAY repeat the request with a suitable Authorization
        header field (section 14.8). If the request already included
        Authorization credentials, then the 401 response indicates that
        authorization has been refused for those credentials. **If the
        401 response contains the same challenge as the prior response,
        and the user agent has already attempted authentication at least
        once, then the user SHOULD be presented the entity that was
        given in the response, since that entity might include relevant
        diagnostic information.** HTTP access authentication is
        explained in "HTTP Authentication: Basic and Digest Access

If your browser continually prompts you for a username having supplied
one, without showing you the error page returned by apache, it isn't
following the RFC :)

You can of course customise the error document returned with the
ErrorDocument directive, perhaps if that is large enough that might
cause the browser to display (qv internet explorer 404 pages).



The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message