We seem to be able to leak 401's without an
ap_note_digest_auth_failure(r); I'd like to track down from where :-)
Using MacOSX iCal (which does DAV publishing), DAV and Apache 1.3.26:
Config:
<Directory ...
Dav On
...
</Directory>
works fine; but adding
<LimitExcept GET HEAD OPTIONS>
or
<Limit PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
require valid-user...
gives me:
62.251.72.224 - - [10/Sep/2002:04:56:33 +0000] "MKCOL /dirkx/iCal HTTP/1.1" 401 482
"-" "DAVAccess/1.0"
62.251.72.224 - - [10/Sep/2002:04:56:34 +0000] "DELETE /dirkx/iCal/Home.ics HTTP/1.1"
401 482 "-" "DAVAccess/1.0"
62.251.72.224 - - [10/Sep/2002:04:56:35 +0000] "PUT /dirkx/iCal/Home.ics HTTP/1.1" 401
482 "-" "DAVAccess/1.0"
..but... *without* any sign of the usual:
if (...) {
ap_note_digest_auth_failure(r);
return AUTH_REQUIRED;
}
in the error_log. Which as far as I can see always precedes an
AUTH_REQUIRED/HTTP_UNAUTHORIZED as far as I can see. (And yes - a tcpdump
shows that the auth line is in the RQ).
Anyone any hint as to HOW apache where can give me a 401 without going
through an ap_note_digest_auth_failure(r) first ?
Dw
