You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Geoffrey Young <ge...@modperlcookbook.org> on 2004/04/05 15:35:50 UTC

returning AUTH_DENIED from a Digest provider

hi all

in 2.1 there is no supported API for a digest provider to deny a user
outright before a password match is tried.

digest providers are currently limited to AUTH_USER_NOT_FOUND or
AUTH_GENERAL_ERROR for errors.  recent changes in AUTH_GENERAL_ERROR make it
return 500 to match how Basic auth is handled, and AUTH_USER_NOT_FOUND
releases control to the next provider in the chain.  this all leaves digest
providers without a way to return 401 and stop the authentication chain.
basic providers, however, can use AUTH_DENIED to accomplish this.

so, I'd like to support AUTH_DENIED from digest providers as well.  this
simple patch is all that is required.

--Geoff

Re: returning AUTH_DENIED from a Digest provider

Posted by Geoffrey Young <ge...@modperlcookbook.org>.

Justin Erenkrantz wrote:
> --On Monday, April 5, 2004 9:35 AM -0400 Geoffrey Young
> <ge...@modperlcookbook.org> wrote:
> 
>> releases control to the next provider in the chain.  this all leaves
>> digest
>> providers without a way to return 401 and stop the authentication chain.
>> basic providers, however, can use AUTH_DENIED to accomplish this.
>>
>> so, I'd like to support AUTH_DENIED from digest providers as well.  this
>> simple patch is all that is required.
> 
> 
> No idea how a provider would figure out that AUTH_DENIED is appropriate
> when using digest auth (the account itself is disabled is the only thing
> I can think of right now).  

well, the idea I had in mind was that you might want to insert a provider
that denies auth merely based on the username or realm, maybe query a
blacklist or something.  I realize you could also do this by simply removing
the user from your auth credential mechanism, but if you have a chain of
providers you might want to quit early rather than run through them all.

> Yet, this still seems reasonable to handle -
> right now, we'd just return 500 rather than 401, so this seems fine by
> me: +1.  -- justin

will do.  thanks :)

--Geoff

Re: returning AUTH_DENIED from a Digest provider

Posted by Justin Erenkrantz <ju...@erenkrantz.com>.

--On Monday, April 5, 2004 9:35 AM -0400 Geoffrey Young 
<ge...@modperlcookbook.org> wrote:

> releases control to the next provider in the chain.  this all leaves digest
> providers without a way to return 401 and stop the authentication chain.
> basic providers, however, can use AUTH_DENIED to accomplish this.
>
> so, I'd like to support AUTH_DENIED from digest providers as well.  this
> simple patch is all that is required.

No idea how a provider would figure out that AUTH_DENIED is appropriate when 
using digest auth (the account itself is disabled is the only thing I can 
think of right now).  Yet, this still seems reasonable to handle - right now, 
we'd just return 500 rather than 401, so this seems fine by me: +1.  -- justin