> Version: Apache/1.3.12 (Unix) mod_perl/1.24
> What: PerlAuthenHandler returns headers without WWW-Authenticate field
> Work-around: set with $r->err_header_out
It looks like you haven't fully read the book/docs/manpages/samples for auth
handling.
*All* of the code for Basic auth (i.e. browser based user/password from the
popup dialog) handlers have the following snippet:
$r->note_basic_auth_failure;
return AUTH_REQUIRED;
as in:
# get username & password
(my $res, $sent_pw) = $r->get_basic_auth_pw;
return $res if $res != OK;
$user = $r->connection->user;
# need both username & password
unless ( $user && $sent_pw) {
$r->note_basic_auth_failure;
return AUTH_REQUIRED;
}
>From http_protocol.h:
* note_basic_auth_failure arranges for the right stuff to be scribbled on
* the HTTP return so that the client knows how to authenticate itself the
* next time. As does note_digest_auth_failure for Digest auth.
*
* note_auth_failure does the same thing, but will call the correct one
* based on the authentication type in use.
The C API works the same way. From src/modules/standard/mod_auth.c:
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
AND, the actual function ap_note_basic_auth_failure, from Apache's
http_protocol.c:
API_EXPORT(void) ap_note_basic_auth_failure(request_rec *r)
{
/* sanity checks here*/
ap_table_setn(r->err_headers_out,
r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate",
ap_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r),
"\"",
NULL));
}
which in mod_perl would be:
$r->err_header_out( $r->proxyreq ? "Proxy-Authenticate" :
"WWW-Authenticate",
"Basic realm=" . $r->auth_name );
which looks alot like your workaround. :-)
L8r,
Rob
