You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Graham Leggett <mi...@sharp.fm> on 2017/09/22 09:57:41 UTC

mod_authz_core: More control over the authz failed response

Hi all,

I am currently struggling with Safari’s behaviour where it re-asks for a user certificate if the server accepted optional certificates but returned 403 Forbidden. I want the server to send the end user something sensible to explain what they should do, rather than just have their browser ask for a certificate they don’t have over and over (or they do have but they aren’t authorized).

So. I want to be able to send a 302 Temporary Redirect on authz failure, rather than a 403.

Looking at mod_authz_core, we have the option to change a 401 response to a 403 response using AuthzSendForbiddenOnFailure, but I’d like more than that.

I’m imagining a AuthzForbiddenResponse directive, which would override default behaviour as follows:

AuthzForbiddenResponse 401
AuthzForbiddenResponse unauthorized

AuthzForbiddenResponse 403
AuthzForbiddenResponse forbidden

AuthzForbiddenResponse 302 [url-expression]
AuthzForbiddenResponse redirect [url-expression]

Does this sound sensible?

Regards,
Graham
—

Re: mod_authz_core: More control over the authz failed response

Posted by Graham Leggett <mi...@sharp.fm>.

On 22 Sep 2017, at 12:12 PM, Yann Ylavic <yl...@gmail.com> wrote:

> I think:
>  ErrorDocument 403 https://somewhere/
> should work.

It does indeed!

https://httpd.apache.org/docs/2.4/mod/core.html#errordocument

Regards,
Graham
—

Re: mod_authz_core: More control over the authz failed response

Posted by Yann Ylavic <yl...@gmail.com>.

On Fri, Sep 22, 2017 at 12:05 PM, Graham Leggett <mi...@sharp.fm> wrote:
> On 22 Sep 2017, at 12:04 PM, Yann Ylavic <yl...@gmail.com> wrote:
>
>>> So. I want to be able to send a 302 Temporary Redirect on authz failure, rather than a 403.
>>
>> Doesn't ErrorDocument work?
>
> I don’t follow, how would ErrorDocument change the response code from 403 to 302?

I think:
  ErrorDocument 403 https://somewhere/
should work.

>
> Regards,
> Graham
> —
>

Re: mod_authz_core: More control over the authz failed response

Posted by Graham Leggett <mi...@sharp.fm>.

On 22 Sep 2017, at 12:04 PM, Yann Ylavic <yl...@gmail.com> wrote:

>> So. I want to be able to send a 302 Temporary Redirect on authz failure, rather than a 403.
> 
> Doesn't ErrorDocument work?

I don’t follow, how would ErrorDocument change the response code from 403 to 302?

Regards,
Graham
—

Re: mod_authz_core: More control over the authz failed response

Posted by Yann Ylavic <yl...@gmail.com>.

Hi Graham,

On Fri, Sep 22, 2017 at 11:57 AM, Graham Leggett <mi...@sharp.fm> wrote:
>
> So. I want to be able to send a 302 Temporary Redirect on authz failure, rather than a 403.

Doesn't ErrorDocument work?


Regards,
Yann.