Bug 15571

Summary: No WWW-Authenticate header returned in 401 message
Product: Apache httpd-2 Reporter: Christopher M. Tan <christ>
Component: mod_davAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: CLOSED FIXED    
Severity: normal    
Priority: P3    
Version: 2.0.40   
Target Milestone: ---   
Hardware: Other   
OS: other   

Description Christopher M. Tan 2002-12-20 15:10:35 UTC 
Overview Description:

No WWW-Authenticate header is returned when access to a URI indicated in 
the "Destination:" header of a request fails authentication.

Steps to Reproduce:

1. Try copying a file from a normal area to a password-protected area without 
supplying any authentication information (I used http://test.webdav.org/dav as 
my normal area, and http://test.webdav.org/auth-basic as my password-protected 
area).

Note: "normal area" refers to an area not requiring authorization.

Actual Results:

The copy failed and a "401 Unauthorized" message was returned from the server.  
However, the "401 Unauthorized" message did not contain a "WWW-Authenticate" 
header as the HTTP/1.1 specs mention it should.

Expected Results:

The copy should fail and a "401 Unauthorized" message should be returned from 
the server containing a "WWW-Authenticate" header.  The HTTP/1.1 specs mention 
that this header *must* be included in a 401 response.

Build Date & Platform:

Apache/2.0.41-dev (Unix) DAV/2 SVN/0.14.2 (dev build)
The server is running the mod_dav and mod_dav_fs modules.

Additional Builds and Platforms:

It has been mentioned that this problem occurs with Apache 1.3/mod_dav 1.0.

Additional Information:

This also occurs on a MOVE (or any request with a "Destination" URI requiring 
Authorization).

From the dav-dev mailing list:
"...the 401 is being generated in an Apache "subrequest", but the WWW-Auth
header is not being promoted to the "real" request, so it gets lost..."
Comment 1 Joshua Slive 2002-12-23 23:23:28 UTC 
It would certainly be helpful if you could try this with a more recent
version of apache.  2.0.41-dev is quite old.
Comment 2 Joshua Slive 2003-07-24 18:02:59 UTC 
No response from submitter.  Assuming issue is resolved.
Comment 3 Joe Orton 2003-07-24 18:56:47 UTC 
This is a real bug, there's a fix in the mod_dav 1.0 tree which can be ported over.
Comment 4 Jeff Trawick 2003-11-11 21:35:06 UTC 
I suspect that the fix below is what is needed.  I haven't found the mod_dav 1.0
change yet, but I found this change entry:

"if a lock fails due to authentication problems, return a 403 (Forbidden) rather
than 401 (Unauthorized). this fixes an HTTP conformance issue where we returned
401 but no WWW-Authenticate response header. (Joe Orton)"

I'm guessing this is Joe's fix...  patch to 2.0's mod_dav:

Index: util.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/dav/main/util.c,v
retrieving revision 1.48
diff -u -r1.48 util.c
--- util.c      22 Apr 2003 21:52:46 -0000      1.48
+++ util.c      11 Nov 2003 21:30:58 -0000
@@ -1212,7 +1212,7 @@
                                             "\" submitted a locktoken created "
                                             "by user \"",
                                             lock->auth_user, "\".", NULL);
-                        return dav_new_error(p, HTTP_UNAUTHORIZED, 0, errmsg);
+                        return dav_new_error(p, HTTP_FORBIDDEN, 0, errmsg);
                     }

                     /*
Comment 5 Joe Orton 2003-11-11 21:40:15 UTC 
The fix I used was to copy over the www-auth header from the subrequest to the
main request, I can dig it out...
Comment 6 Joe Orton 2003-12-09 12:44:45 UTC 
Committed to HEAD, proposed to backport to 2.0:

http://cvs.apache.org/viewcvs/httpd-2.0/modules/dav/main/mod_dav.c.diff?r1=1.100&r2=1.101

Thanks for the report.