You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2006/02/06 16:26:07 UTC
RFC: 2.2 vs third-party 2.0 auth modules
Whilst 2.2 is, as advertised, source-compatible with 2.0 auth modules,
the current implementation requires that any auth configuration using
such modules is changed to add "AuthBasicAuthoritative off" otherwise
mod_auth_basic will see "no provider configured -> use default file
provider -> fails (since no AuthUserFile is configured) -> deny access".
(the failure mode for this is particularly ugly: after an upgrade, a
previously-working configuration turns into a 500 error with a weird
error message logged as ap_pcfg_openfile returns APR_EBADF when passed
the NULL filename by mod_authn_file)
There are lots of 2.0-compatible auth modules out there, and upgrades
which require admins to make changes to .htaccess files are not very
attractive, so I think it's worth solving this problem if possible.
Solutions I can see:
- only have mod_auth_basic be authoritative if AuthBasicProvider is
configured
- use some hack such that mod_auth_basic will DECLINE iff no provider is
configured and mod_authn_file throws the AUTHN_GENERAL_ERROR. (attached
as proof of concept)
Any thoughts, better ideas?
joe
Re: RFC: 2.2 vs third-party 2.0 auth modules
Posted by Brad Nicholes <BN...@novell.com>.
>>> On 2/6/2006 at 8:26:07 am, in message
<20...@redhat.com>,
jorton@redhat.com wrote:
> Whilst 2.2 is, as advertised, source-compatible with 2.0 auth
modules,
> the current implementation requires that any auth configuration using
> such modules is changed to add "AuthBasicAuthoritative off" otherwise
> mod_auth_basic will see "no provider configured -> use default file
> provider -> fails (since no AuthUserFile is configured) -> deny
access".
>
> (the failure mode for this is particularly ugly: after an upgrade, a
> previously-working configuration turns into a 500 error with a weird
> error message logged as ap_pcfg_openfile returns APR_EBADF when
passed
> the NULL filename by mod_authn_file)
>
> There are lots of 2.0-compatible auth modules out there, and upgrades
> which require admins to make changes to .htaccess files are not very
> attractive, so I think it's worth solving this problem if possible.
>
> Solutions I can see:
>
> - only have mod_auth_basic be authoritative if AuthBasicProvider is
> configured
>
> - use some hack such that mod_auth_basic will DECLINE iff no provider
is
> configured and mod_authn_file throws the AUTHN_GENERAL_ERROR.
(attached
> as proof of concept)
>
> Any thoughts, better ideas?
>
> jo
Although the first solution would be cleaner, it would cause a change
in behavior when mod_auth_basic legitimately defaults to the file
provider. So your second solution would probably be the best. Of
course this would only happen if mod_auth_basic is loaded. If it isn't
needed and loaded, the third party modules should work fine.
Brad