You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Martin Knoblauch <sp...@knobisoft.de> on 2005/10/28 13:13:48 UTC

RFC/RFE - Make mod_auth[_basic] optionally return HTTP_FORBIDDEN for failed login attempts

Hi,

 I already posted this as bugzilla #37287, but someone suggested I drop
this here also.

#### From bz #37287

In order to "harden" some pages on a HTTPS server, I have deployed the
"FakeBasicAuth" method from mod_ssl. This works almost OK, but has the
annoying effect that people whose CN does not match the allowed set for
a page get the login-popup in their browser. For FakeBasicAuth this
makes no sense, as:

a) this is supposed to be an automatic process
b) the user cannot legally supply valid credentials manually anyway.

I solved this by developing the attached small patch for mod_auth. If
the new keyword "AuthTolerant" is set to "off", HTTP_FORBIDDEN is sent
instead of HTTP_UNAUTHORIZED. The default is to send HTTP_UNAUTHORIZED
as usual.

Not sure whether this is a (good) solution, but I believe it is useful
for some cases.

The patch is against 2.0.55. If the proposal is welcome, I believe it
should go into the 2.1 stream.

Cheers
Martin

------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www:   http://www.knobisoft.de