DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=29928>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=29928 mod_auth isn't applying AuthAuthoratative directive Summary: mod_auth isn't applying AuthAuthoratative directive Product: Apache httpd-2.0 Version: 2.0.49 Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: mod_auth AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] if the AuthAuthoratative directive is set to off, mod_auth should return DECLINED whenever authentication or authorization fails. It seems that the routine authenticate_basic_user always returns HTTP_UNAUTHORIZED if no username and password is available. In my perspective, mod_auth should return DECLINED, and subsequent modules in the chain should return HTTP_UNAUTHORIZED. In the current situation, when using mod_auth icw another module which takes care of authentication, mod_auth should always be placed last in chain, as else the other module can never supply credentials. This also means that authenticating/authorizing users using mod_auth with plain text files can take a lot of time if the previous module is slow. proposed change : old : if ((res = ap_get_basic_auth_pw(r, &sent_pw))) { return res; } new : if ((res = ap_get_basic_auth_pw(r, &sent_pw))) { if ( (res == HTTP_UNAUTHORIZED) && !(conf->auth_authoritative) ) { return DECLINED; } else { return res; } } --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
