You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modules-dev@httpd.apache.org by "Stuart A. Malone" <sa...@llamagraphics.com> on 2009/08/06 17:12:55 UTC

Forcing an auth_failure when using mod_auth_digest

Hi folks,

I'm working on a simple authorization module that enforces private  
directories on the server, so that only user "JaneDoe" can access  
files in "/files/JaneDoe/".  I'm trying to design the module so that  
it works with existing authentication modules like mod_auth_digest.

I'm having a problem when the user has successfully authenticated as  
one user, but is trying to access the directory of a different user.   
In this case, I'd like to send an authorization failure back to the  
browser so that the person can re-authenticate as the proper user.

My module is written as an auth_checker hook, and if the user name and  
directory name don't match, it fails using code like this:

     if (failure) {
         ap_note_auth_failure(r);
         return HTTP_UNAUTHORIZED;
     }

The problem is that when I'm using digest authentication, this causes  
Apache to generate a response header that looks like:

     WWW-Authenticate: Digest realm="Life Balance testing",  
nonce="47079ec014392"

when a valid response header from the mod_auth_digest module looks like:

     WWW-Authenticate: Digest realm="Life Balance testing",  
nonce="sjYB7HlwBAA=22401ec4e68cc4d29a242a512265fabcd2604c5b",  
algorithm=MD5, domain="/files", qop="auth"

If the user tries to re-authenticate using the bad response header,  
the re-authentication in mod_auth_digest fails with the error:

     Digest: invalid nonce 47079ec014392 received - length is not 52

It appears that mod_auth_digest does not call the standard  
ap_note_auth_failure function, but has a private  
ap_note_digest_auth_failure function it uses to generate the right  
response header.  Is there a good way for my module to generate the  
correct response header regardless of which authentication method is  
being used?

All advice on how to do this according to best practices are  
gratefully accepted,

Thanks,

--Stuart A. Malone
   Llamagraphics, Inc.
   Makers of Life Balance personal coaching software
   http://www.llamagraphics.com/