https://bz.apache.org/bugzilla/show_bug.cgi?id=63800
Bug ID: 63800 Summary: HTTP 403 instead of HTTP 401 in RequireAll Product: Apache httpd-2 Version: 2.4.41 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P2 Component: mod_authz_core Assignee: bugs@httpd.apache.org Reporter: golden...@mail.ru Target Milestone: --- I have a following block: <RequireAll> Require valid user Require env SMTH </RequireAll> The environmental variable SMTH depends on the data from "Authentication" header - so the user's credentials must be present for it to be setted to the correct value. In case if no authentication credentials provided, apache will check the first Require, will "fail" with AUTHZ_DENIED_NO_USER, but then will check the second condition which will fail and apache will "fail" RequireAll with AUTHZ_DENIED abd return HTTP 403 instead of HTTP 401 so the user would never have a chance to enter credentials. I wonder why apache checks all conditions inside RequireAll if one of the failed already? Moreover check out the comment here: https://github.com/apache/httpd/blob/trunk/modules/aaa/mod_authz_core.c#766 ```c /* * Handling of AUTHZ_DENIED/AUTHZ_DENIED_NO_USER: Return * AUTHZ_DENIED_NO_USER if providing a user may change the * result, AUTHZ_DENIED otherwise. */ ``` So apache should return AUTHZ_DENIED_NO_USER, but it doesn't. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org