DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=30092>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=30092 ap_get_basic_auth_pw: Don't check for *static* AuthType "Basic" Summary: ap_get_basic_auth_pw: Don't check for *static* AuthType "Basic" Product: Apache httpd-1.3 Version: 1.3.31 Platform: Sun OS/Version: Solaris Status: NEW Severity: Enhancement Priority: Other Component: core AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] We want to allow fallback from a more involved authtype such as the Negotiation protocol (SPNEGO) to plain basic auth with the standard mod_auth or others by setting an appropriate WWW-Authenticate header and declining. ap_get_basic_auth_pw() won't descramble the password from the Authorization header unless the request has a *static* AuthType declaration of "Basic" (which contradicts with the AuthType required for the more involved protocol). By omitting this check, authentication modules designed for basic auth can still retrieve the user-supplied password when they are being called in a chain. ap_get_basic_auth_pw() will still check for a *dynamic* AuthType of "Basic", son we can be sure not to return an inappropriate value. Without this change, modules designed for basic authentication would need to re- implement the password extraction & descrambling (which some of them actually do). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
