www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Wilmes <jwil...@cisco.com>
Subject config/6333: Redirected error document causes authentication to fail
Date Fri, 21 Jul 2000 22:23:13 GMT

>Number:         6333
>Category:       config
>Synopsis:       Redirected error document causes authentication to fail
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Jul 21 15:30:01 PDT 2000
>Originator:     jwilmes@cisco.com
>Release:        1.3.12
Solaris 2.7
We had an apache configuration which included the following (cut down and 
names changed for clarity)


  ServerName foo1
  ServerAlias foo1.bar.com
  DocumentRoot /usr/SD/docs
  RewriteEngine on
  RewriteOptions inherit

  ServerName foo.bar.com
  ServerAlias foo
  DocumentRoot /usr/SD/docs
  RewriteEngine on
  RewriteOptions inherit

<FilesMatch "\.(pcgi|phtml)$">
  AuthName "Foo Protected Resource"
  AuthType Basic
  AuthDBMUserFile foo.passwd
  <Limit GET POST>
    require valid-user
  ErrorDocument 401 /errors/auth_failed.html

# OK, now we try to even out load on each individual web server cluster
# redirect traffic from foo(number) to foo.
RewriteCond %{HTTP_HOST}   ^foo[0-9]+.*
# a few things might legitimately need to run on a particular web server..
RewriteCond %{REQUEST_URI} !^/One/Directory/.*
RewriteRule ^/(.*) http://foo.bar.com/$1


Now, when the following URL was loaded:


The response was contained headers like this:
HTTP/1.1 302 Found
Date: Fri, 21 Jul 2000 19:45:58 GMT
Server: Apache/1.3.12 (Unix) mod_perl/1.24
WWW-Authenticate: Basic realm="Foo Protected Resource"
Location: http://foo.bar.com/errors/auth_failed.html
Connection: close

And the user would get redirected to the "authentication failed"
page without even getting prompted for a password.

However, if I went to http://foo.bar.com/One/Directory/foo.pcgi instead,
the page would work normally, with a "401 Authorization Required", etc.

After some fiddling, I found that the problem was caused by the fact that 
/errors/ was not excluded from the RewriteRule.  Apparently, apache did 
something like this:

"Hm. This page is protected, and they didn't supply the password"
"I need to send them a reply with a 401 header and the contents of
"But to get to /errors/auth_failed.html, they need to go over to 
"I'll redirect them there!"

This isn't really quite right.  Granted, the omission of /errors/ from my 
rewrite rule was a bug and I don't expect that it should have worked.  But
the way in which it broke was pretty baffling.
My configuration excerpts above should suffice.  The web server which
was having the problem has been corrected.
Perhaps some sort of error message "ErrorDocument is inaccessable on this 
VirtualHost" would have helped to debug the problem?  Does this sound like 
a good idea?
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]

View raw message