Michael Peters wrote: > Moritz Maisel wrote: > >>Hi List, >> >>I wrote a PerlAuthenHandler to authenticate users that access a >>webservice. I supposed that by returning either "OK" or >>"HTTP_UNAUTHORIZED" back to apache2 it will allow or deny acces due to >>the "require valid-user" directive that I set. >>My problem is, that apache executes my handler, but it does not take >>care of my return-values. Instead it always serves the request and >>grants access. > > > The HTTP codes are HTTP return codes, not handler return codes.
actually, that's not really correct... a handler is expected to return one of o apache handler code (OK, DECLINE, DONE) o apache _error_ code (SERVER_ERROR, FORBIDDEN, etc) the confusion is generally when someone assumes OK (0) is the same as HTTP_OK (200). so, it's always proper to return an HTTP code in the case of "errors" where "error" in apache-speak is anything other than 200. > Use FORBIDDEN instead. actually HTTP_UNAUTHORIZED (401, aka AUTH_REQUIRED) is more proper than FORBIDDEN (403) for basic auth, though either should prevent the content handler from running. offhand I can't see anything in your code that looks wrong - ordinarily, of mod_perl authen doesn't do it's job properly you'll see core errors due to missing AuthUserFile, etc directive that don't really matter if your custom authen is functional. if I had to guess I'd say that something else in your httpd.conf is interfering with your authen setup. the first thing that comes to mind is making sure you have 'Satisfy All' and not 'Satisfy Any' HTH --Geoff
