Re[2]: [users@httpd] AuthzSendUnauthorizeOnFailure?

[Jack Simmons <go...@mail.ru.INVALID>]

> The purpose of <requireAll> is to group things into one logical block. If you want things to fail in order without checking other conditions, don’t use requireAll?

I am using RequireAll with two conditions.
The first condition is "Require valid user".
For the second one I have an environmental variable which depends on the value of "Authentication" header in the HTTP requiest.  Namely, I am pulling username out of it.

So I want Apache to throw HTTP 401, not HTTP 403 when no "Authentication" header is present.  For that I need it to fail whole RequireAll block as soon as first condition "Require valid user" fails.  Instead apache is checking everything including "Require env"; and once it fails, it throws HTTP 403 instead of 401 so user has no chance of submitting his credentials.

Moreover, I think that this is a bug.  Take a look at: https://github.com/apache/httpd/blob/trunk/modules/aaa/mod_authz_core.c#766

It says it should return AUTHZ_DENIED_NO_USER if it can change the result.  But it seems it was never implemented.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org