You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Andrew Mann <am...@crosslink.net> on 2002/05/22 20:06:46 UTC
Authentication requirement
httpd2.0.35
server/protocol.c
Is there any reason why ap_get_basic_auth_pw() rejects
authentication itself if the client provides no Auth line? I can see a
theoretical reason, but it seems to me that the practical reasons not to do
this would outweigh that. If I specify a module or set of modules to
handle authentication, why is the base server getting involved in the
decision at all?
Line 1081:
if (!auth_line) {
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
I use a hack currently that changes the above rejection to fill in
auth fields with 0 length strings and presume Basic type. It's probably
not the right way to do things, but it seems to have the least chance of
breaking any existing modules (unless someone actually uses a blank
login/password).
I'm using a module that controls access to directories and
files. It doesn't always require a login/password, but for some
files/directories it does. It uses a database to determine what kind of
credentials are needed to access any given resource. Naturally there's a
problem if the resource shouldn't require a login/password, but the module
isn't even being prompted for that, instead the Apache server is rejecting
it immediately.
Am I missing some straightforward way to avoid this without
altering the code? Is there any reason why an auth module can't be passed
every request in it's "domain" regardless of how seemingly obvious it is
that the request will fail?
Andrew Mann