Hi folks,
I'm working on a simple authorization module that enforces private
directories on the server, so that only user "JaneDoe" can access
files in "/files/JaneDoe/". I'm trying to design the module so that
it works with existing authentication modules like mod_auth_digest.
I'm having a problem when the user has successfully authenticated as
one user, but is trying to access the directory of a different user.
In this case, I'd like to send an authorization failure back to the
browser so that the person can re-authenticate as the proper user.
My module is written as an auth_checker hook, and if the user name and
directory name don't match, it fails using code like this:
if (failure) {
ap_note_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
The problem is that when I'm using digest authentication, this causes
Apache to generate a response header that looks like:
WWW-Authenticate: Digest realm="Life Balance testing",
nonce="47079ec014392"
when a valid response header from the mod_auth_digest module looks like:
WWW-Authenticate: Digest realm="Life Balance testing",
nonce="sjYB7HlwBAA=22401ec4e68cc4d29a242a512265fabcd2604c5b",
algorithm=MD5, domain="/files", qop="auth"
If the user tries to re-authenticate using the bad response header,
the re-authentication in mod_auth_digest fails with the error:
Digest: invalid nonce 47079ec014392 received - length is not 52
It appears that mod_auth_digest does not call the standard
ap_note_auth_failure function, but has a private
ap_note_digest_auth_failure function it uses to generate the right
response header. Is there a good way for my module to generate the
correct response header regardless of which authentication method is
being used?
All advice on how to do this according to best practices are
gratefully accepted,
Thanks,
--Stuart A. Malone
Llamagraphics, Inc.
Makers of Life Balance personal coaching software
http://www.llamagraphics.com/
