Bug 37287 - Optionally make mod_auth return HTTP_FORBIDEEN for failed login attempts
Optionally make mod_auth return HTTP_FORBIDEEN for failed login attempts
Status: RESOLVED DUPLICATE of bug 40721
Product: Apache httpd-2
Classification: Unclassified
Component: mod_auth
2.0.55
All All
: P3 enhancement (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
http://www.knobisoft.de
: PatchAvailable
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2005-10-28 11:02 UTC by Martin Knoblauch
Modified: 2011-06-13 20:48 UTC (History)
0 users



Attachments
Patch that adds AuthTolerant to mod_auth.c (2.57 KB, patch)
2005-10-28 11:05 UTC, Martin Knoblauch
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Knoblauch 2005-10-28 11:02:14 UTC
In order to "harden" some pages on a HTTPS server, I have deployed the
"FakeBasicAuth" method from mod_ssl. This works almost OK, but has the annoying
effect that people whose CN does not match the allowed set for a page get the
login-popup in their browser. For FakeBasicAuth this makes no sense, as:

a) this is supposed to be an automatic process
b) the user cannot legally supply valid credentials manually anyway.

I solved this by developing the attached small patch for mod_auth. If the new
keyword "AuthTolerant" is set to no, 403 is sent instead of 401.

Not sure whether this is a (good) solution, but I believe it is useful.

Cheers
Martin
Comment 1 Martin Knoblauch 2005-10-28 11:05:48 UTC
Created attachment 16827 [details]
Patch that adds AuthTolerant to mod_auth.c
Comment 2 Nick Kew 2005-10-28 12:09:28 UTC
Thanks for the patch - having it here may benefit someone (though it looks as 
if at least one of your versions isn't what it claims to be). 
 
I don't think this change is very likely to happen in 2.0.  But it's a fair 
topic for discussion regarding future versions.  Why not post to dev@httpd? 
 
Comment 3 Martin Knoblauch 2005-10-28 12:41:09 UTC
?? Oh, I see 54 vs. 55. There are no changes in mod_auth.c between 2.0.54 and
2.0.55. I made the changes to my 2.0.55 tree. Therefore the diff is technically
correct :-)

 I agree that post-2.0 is a more likely place for adoption of this. I just
posted the bug to have the patch documented. Your suggestion to post to the
developers list makes sense. I will do so, although I do not do apache
develpment on a regular basis.
Comment 4 Stefan Fritsch 2011-06-13 20:48:03 UTC
Trunk has AuthzSendForbiddenOnFailure

*** This bug has been marked as a duplicate of bug 40721 ***