> The purpose of <requireAll> is to group things into one logical block. If you > want things to fail in order without checking other conditions, don’t use > requireAll?
I am using RequireAll with two conditions. The first condition is "Require valid user". For the second one I have an environmental variable which depends on the value of "Authentication" header in the HTTP requiest. Namely, I am pulling username out of it. So I want Apache to throw HTTP 401, not HTTP 403 when no "Authentication" header is present. For that I need it to fail whole RequireAll block as soon as first condition "Require valid user" fails. Instead apache is checking everything including "Require env"; and once it fails, it throws HTTP 403 instead of 401 so user has no chance of submitting his credentials. Moreover, I think that this is a bug. Take a look at: https://github.com/apache/httpd/blob/trunk/modules/aaa/mod_authz_core.c#766 It says it should return AUTHZ_DENIED_NO_USER if it can change the result. But it seems it was never implemented. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
