DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=37287>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=37287 Summary: Optionally make mod_auth return HTTP_FORBIDEEN for failed login attempts Product: Apache httpd-2.0 Version: 2.0.55 Platform: All URL: http://www.knobisoft.de OS/Version: All Status: NEW Keywords: PatchAvailable Severity: enhancement Priority: P2 Component: mod_auth AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] In order to "harden" some pages on a HTTPS server, I have deployed the "FakeBasicAuth" method from mod_ssl. This works almost OK, but has the annoying effect that people whose CN does not match the allowed set for a page get the login-popup in their browser. For FakeBasicAuth this makes no sense, as: a) this is supposed to be an automatic process b) the user cannot legally supply valid credentials manually anyway. I solved this by developing the attached small patch for mod_auth. If the new keyword "AuthTolerant" is set to no, 403 is sent instead of 401. Not sure whether this is a (good) solution, but I believe it is useful. Cheers Martin -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
