httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Gröver <>
Subject Authentication/Authorization module vs. Basic Authentication
Date Thu, 30 May 2013 08:56:27 GMT

Dear mailing list,

I have written a rather complex module which deals with authentication
and authorization among other things. It checks for example for the
existence of a valid kerberos ticket, it checks a mysql database for
information which user is allowed to see which URL of a website. Later
it filters out unwanted content or removes part of the content
delivered to the user based on the id of the user.

I didn't want the module to be dependent on any "require ..." line and
I found out these lines are essential for a module which uses the
auth_checker hook. So I use some of the other hooks.
The main authentication and authorization parts are done in

Below there's the part of the code which registers functions for the

The module was first created for Apache 1.3, transferred to Apache 2.0
and is now used with Apache 2.2. But lately there seem to be some 
compatibility problems with Basic Authentication.

In the past it was possible to use Basic Authentication and this module
at the same time. Now this gives us some Error 401 although we have a
"satisfy any" and an allowed IP address configured.

After the code in the acess_checker phase is run and returns a
HTTP_MOVED_TEMPORARILY the user is prompted with a password/login
popup. This is not coming from my code. I guess it's coming from the
module that implements Basic Authentication.

So while I cannot give you an example snippet of code, because it's a
complex module which I cannot boil down to a few lines of code, I hope
you still have an idea what might be going wrong or in which direction
I should analyse this.

Any help is greatly appreciated. Thank you very much.

static void SumpfRegisterHooks(apr_pool_t *pool)
 static const char * const Succ[] = { "mod_php.c", NULL };
  // This is the hook that is called initially at the server start
  // after the configuration is read
  ap_hook_post_config(SumpfInit, NULL, NULL, APR_HOOK_MIDDLE);
  // or APR_HOOK_LAST ?
  // This is the hook that is called after reading each request
  ap_hook_post_read_request(SumpfStartPerRequest, NULL, NULL,

  // We cannot use the auth_checker hook, cause it depends on
  // 'require valid-user' in the configuration
  ap_hook_access_checker(SumpfAuthChecker, NULL, NULL, APR_HOOK_FIRST);

  ap_hook_check_user_id(SumpfCheckUserID, NULL, NULL, APR_HOOK_MIDDLE);

  // auth_checker hook will only be used if we have a 'require ...'
  option // if we use the require option the basic auth module can't
  use it !!! ap_hook_auth_checker(SumpfCheckAuthorization, NULL, NULL,

  // For Kerberos we cannot run in auth_checker phase because
  mod_auth_kerb // prevents this by returning OK, which means no other
  module is run here // So we run as first in fixup hook
  ap_hook_fixups(SumpfKerberosChecker, NULL, NULL, APR_HOOK_FIRST);

  // For PHP a normal hook_handler doesn't do anything,
  // presumably because mod_php ends with return(OK)
  // We need the hook_fixups !!
  ap_hook_fixups(SumpfHandleSpecialRequests, NULL, NULL,

  // Not needed anymore  15.12.2006
  // ap_hook_handler(SumpfSpecialURLs, NULL, NULL, APR_HOOK_MIDDLE);

  ap_hook_insert_filter(SumpfInsertFilter, Succ, NULL, APR_HOOK_MIDDLE);

  ap_register_output_filter(SumpfFilterName, sumpf_filter, NULL,

Sitepark Gesellschaft für Informationsmanagement mbH
Rothenburg 14-16, 48143 Münster

Telefon: +49 251 482655-0, Telefax: +49 251 482655-55

Geschäftsführer: Thorsten Liebold
Amtsgericht Münster, HRB 5017

View raw message