Hi,
I already posted this as bugzilla #37287, but someone suggested I drop
this here also.
#### From bz #37287
In order to "harden" some pages on a HTTPS server, I have deployed the
"FakeBasicAuth" method from mod_ssl. This works almost OK, but has the
annoying effect that people whose CN does not match the allowed set for
a page get the login-popup in their browser. For FakeBasicAuth this
makes no sense, as:
a) this is supposed to be an automatic process
b) the user cannot legally supply valid credentials manually anyway.
I solved this by developing the attached small patch for mod_auth. If
the new keyword "AuthTolerant" is set to "off", HTTP_FORBIDDEN is sent
instead of HTTP_UNAUTHORIZED. The default is to send HTTP_UNAUTHORIZED
as usual.
Not sure whether this is a (good) solution, but I believe it is useful
for some cases.
The patch is against 2.0.55. If the proposal is welcome, I believe it
should go into the 2.1 stream.
Cheers
Martin
------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de
--- httpd-2.0.54/modules/aaa/mod_auth.c 2005-02-04 21:21:18.000000000 +0100
+++ httpd-2.0.55/modules/aaa/mod_auth.c 2005-10-19 12:04:45.000000000 +0200
@@ -44,6 +44,7 @@
char *auth_pwfile;
char *auth_grpfile;
int auth_authoritative;
+ int auth_tolerant;
} auth_config_rec;
static void *create_auth_dir_config(apr_pool_t *p, char *d)
@@ -53,6 +54,8 @@
conf->auth_pwfile = NULL; /* just to illustrate the default really */
conf->auth_grpfile = NULL; /* unless you have a broken HP cc */
conf->auth_authoritative = 1; /* keep the fortress secure by default */
+ conf->auth_tolerant = 1 ; /* Return UNAUTHORIZED on failed requests,
+ otherwise return FORBIDDEN */
return conf;
}
@@ -80,6 +83,11 @@
OR_AUTHCFG,
"Set to 'no' to allow access control to be passed along to "
"lower modules if the UserID is not known to this module"),
+ AP_INIT_FLAG("AuthTolerant", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(auth_config_rec, auth_tolerant),
+ OR_AUTHCFG,
+ "Set to 'no' to send FORBIDDEN if the UserID "
+ "is not known to this module"),
{NULL}
};
@@ -173,7 +181,7 @@
const char *sent_pw;
char *real_pw;
apr_status_t invalid_pw;
- int res;
+ int res,retval=HTTP_UNAUTHORIZED;
if ((res = ap_get_basic_auth_pw(r, &sent_pw))) {
return res;
@@ -183,6 +191,10 @@
return DECLINED;
}
+ if (!(conf->auth_tolerant)) {
+ retval = HTTP_FORBIDDEN;
+ }
+
if (!(real_pw = get_pw(r, r->user, conf->auth_pwfile))) {
if (!(conf->auth_authoritative)) {
return DECLINED;
@@ -190,7 +202,7 @@
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"user %s not found: %s", r->user, r->uri);
ap_note_basic_auth_failure(r);
- return HTTP_UNAUTHORIZED;
+ return retval;
}
invalid_pw = apr_password_validate(sent_pw, real_pw);
if (invalid_pw != APR_SUCCESS) {
@@ -199,7 +211,7 @@
"Password Mismatch",
r->user, r->uri);
ap_note_basic_auth_failure(r);
- return HTTP_UNAUTHORIZED;
+ return retval;
}
return OK;
}
@@ -293,7 +305,13 @@
r->uri, user);
ap_note_basic_auth_failure(r);
- return HTTP_UNAUTHORIZED;
+ if (conf->auth_tolerant) {
+ return HTTP_UNAUTHORIZED;
+ }
+ else {
+ return HTTP_FORBIDDEN;
+ }
+
}
static void register_hooks(apr_pool_t *p)
