https://bz.apache.org/bugzilla/show_bug.cgi?id=63800
Bug ID: 63800
Summary: HTTP 403 instead of HTTP 401 in RequireAll
Product: Apache httpd-2
Version: 2.4.41
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_authz_core
Assignee: bugs@httpd.apache.org
Reporter: golden...@mail.ru
Target Milestone: ---
I have a following block:
<RequireAll>
Require valid user
Require env SMTH
</RequireAll>
The environmental variable SMTH depends on the data from "Authentication"
header - so the user's credentials must be present for it to be setted to the
correct value.
In case if no authentication credentials provided, apache will check the first
Require, will "fail" with AUTHZ_DENIED_NO_USER, but then will check the second
condition which will fail and apache will "fail" RequireAll with AUTHZ_DENIED
abd return HTTP 403 instead of HTTP 401 so the user would never have a chance
to enter credentials.
I wonder why apache checks all conditions inside RequireAll if one of the
failed already?
Moreover check out the comment here:
https://github.com/apache/httpd/blob/trunk/modules/aaa/mod_authz_core.c#766
```c
/*
* Handling of AUTHZ_DENIED/AUTHZ_DENIED_NO_USER: Return
* AUTHZ_DENIED_NO_USER if providing a user may change the
* result, AUTHZ_DENIED otherwise.
*/
```
So apache should return AUTHZ_DENIED_NO_USER, but it doesn't.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
