You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jim Solosti <ji...@gmail.com> on 2018/06/03 11:23:19 UTC

[users@httpd] Apache 2.4 authentication and authorization “toggling” - with custom authentication mod

 I'm upgrading Apache 2.2 to Apache 2.4, and have encountered an issue
regarding authentication and authorization with a custom authentication
provider. It basically authenticates via Kerberos method.

My Apache 2.4 `httpd.conf` looks like the following:

    <Directory />
        # No authentication and all requests are denied.
        Require all denied
        # Options now defaults to  FollowSymlink in apache 2.4.
        Options FollowSymLinks
        # AllowOverride now defaults to None in apache 2.4
        AllowOverride None
        Require valid-user
        AuthType Digest
        AuthName Customauth
    </Directory>

    <Location "/">
        Require valid-user
        AuthType Digest
        AuthName Customauth
    </Location>

<br>
**Issue details**

My custom authentication has the option to be disabled/enabled (by default:
disabled) via toggling – it has the ability to read a Boolean value from a
file in my environment.

Unfortunately, when it is disabled, all of the requests are receiving 500
response from Apache, and the following errors are shown in
apache_error.log:

> [Thu May 31 19:14:00.464100 2018] [authz_core:debug] [pid 5826]
> mod_authz_core.c(809): [client 172.23.90.75:50154] AH01626:
> authorization result of Require valid-user : denied (no authenticated
> user yet) [Thu May 31 19:14:00.464109 2018] [authz_core:debug] [pid
> 5826] mod_authz_core.c(809): [client 172.23.90.75:50154] AH01626:
> authorization result of <RequireAny>: denied (no authenticated user
> yet)
>
> [Thu May 31 19:14:00.464179 2018] [core:error] [pid 5826] [client
> 172.23.90.75:50154] AH00027: No authentication done but request not
allowed without authentication for /request. Authentication not
> configured?

It seems that the “require valid-user” directive is failing the requests
since there is a check in Apache `mod_authz_core` when it is searching for
a “user header”.

I want to “avoid authentication” in case my custom authentication is
disabled and pass the requests through, How can I solve this issue?

<br>
**Note 1**: Worth to mention that when the custom authentication is enabled
it works properly. It authenticates via tickets and the requests are
handled accordingly.

<br>
**Note 2**: The custom authentication toggling had no issues with Apache
2.2. Thus, when I disable it, the requests could pass through.

The Apache 2.2 `httpd.conf` looks like the following (old configuration):

    <Directory />
    Order Deny,Allow
        Deny from all
        Options FollowSymLinks
        AllowOverride None
    Require valid-user
        AuthType Digest
        AuthName Customauth
    </Directory>

    <Location "/">
    Require valid-user
        AuthType Digest
        AuthName Customauth
    </Location>\