Re: Authentication/Authorization module vs. Basic Authentication

[Christoph Gröver <gr...@sitepark.com>]

Hello list,

I thought I'd let you know, what I found out so far.
Perhaps someone will have an idea what is going on.

In the access checking phase started by this line

 ap_hook_access_checker(SumpfAuthChecker, NULL, NULL, APR_HOOK_FIRST);

I return with a "return(HTTP_MOVED_TEMPORARILY)".
I have set up the new location to go to by setting
the apropriate headers with
 apr_table_set( r->headers_out, "Location", newlocation );

Instead of sending back to the client a 302 or a 301 the next thing
that happens the apache sends back a 401.
(Found out with ngrep).

So this results in prompting the user for a password.

It seems the "Basic Authentication" code or anything else it doing
something after I finished in the access checking phase.

I tried to find out with "LogLevel debug".
But this actually leads to nearly no extra lines in the logfiles.

I have configured it in the global configuration and in the VirtualHost
section.

Well for the moment I'm stuck.
Hope somebody has an idea ....

Greetings


-- 
Christoph Gröver

Re: Authentication/Authorization module vs. Basic Authentication

[Christoph Gröver <gr...@sitepark.com>]

Hello Nick,

> You'd want the err_headers_out to set that for an error return.

OK. Good point. Changed that.
> 
> > Instead of sending back to the client a 302 or a 301 the next thing
> > that happens the apache sends back a 401.
> 
> Have you traced and/or stepped through execution of your own code?

I have a lot of debugging code in my module. The last thing that my
module does in the access checking phase is returning
HTTP_MOVED_TEMPORARILY (this is logged to the errorlog).

For debugging purposes I have a short code segment hooked up into
the phases check_user_id and auth_checker.
Those are not run.

So. This leads to my conclusion that some other module must be doing
something in the access checking phase.

> 
> Could it be that your errordocument itself authenticates the client?

The problem arises when the client sends POST data to the webserver.
The client sends authentication information and my module does a 
redirection to either a failed login page or a successful welcome page.

Without any "Basic Authentication" / "require ...." lines in the
configuration this works.

If I add a "require valid-user" it doesn't work anymore.

> 
> > I tried to find out with "LogLevel debug".
> > But this actually leads to nearly no extra lines in the log files.
> 
> My usual tool in that situation is gdb.
> 

I guess the other modules are not logging much if not compile for
verbosity?
If I'd use gdb I would have to compile every module with debugging
support, I guess?

Thank you for your answer,
Greetings

-- 
Sitepark Gesellschaft für Informationsmanagement mbH
Rothenburg 14-16, 48143 Münster

Telefon: +49 251 482655-0, Telefax: +49 251 482655-55
http://www.sitepark.com
http://www.facebook.com/sitepark

Geschäftsführer: Thorsten Liebold
Amtsgericht Münster, HRB 5017

Re: Authentication/Authorization module vs. Basic Authentication

[Christoph Gröver <gr...@sitepark.com>]

Hello Niq, Hello List,

I have been able to solve this issue. Well, I should say, I have found
a workaround.

I suspected mod_auth_basic to be doing something wrong, so I had a close
look at the sourcecode.
It is only run in the check_user_id phase.

I tested whether the problem still exists if my module is hooked in at
the beginning of the check_user_id phase and returns with status DONE,
thus preventing mod_auth_basic to be run at all.

The problem is immediately gone, so I'm sure this module is the cause.
But I haven't found out what exactly goes wrong.

Doesn't matter. This way it works.

Thank youfor your time.

Greetings

-- 
Christoph Gröver

Re: Authentication/Authorization module vs. Basic Authentication

[Nick Kew <ni...@apache.org>]

On 17 Jun 2013, at 10:24, Christoph Gröver wrote:

> 
> Hello list,
> 
> I thought I'd let you know, what I found out so far.
> Perhaps someone will have an idea what is going on.
> 
> In the access checking phase started by this line
> 
> ap_hook_access_checker(SumpfAuthChecker, NULL, NULL, APR_HOOK_FIRST);
> 
> I return with a "return(HTTP_MOVED_TEMPORARILY)".
> I have set up the new location to go to by setting
> the apropriate headers with
> apr_table_set( r->headers_out, "Location", newlocation );

You'd want the err_headers_out to set that for an error return.

> Instead of sending back to the client a 302 or a 301 the next thing
> that happens the apache sends back a 401.

Have you traced and/or stepped through execution of your own code?

Could it be that your errordocument itself authenticates the client?

> I tried to find out with "LogLevel debug".
> But this actually leads to nearly no extra lines in the log files.

My usual tool in that situation is gdb.

-- 
Nick Kew