|Summary:||No WWW-Authenticate header returned in 401 message|
|Product:||Apache httpd-2||Reporter:||Christopher M. Tan <christ>|
|Component:||mod_dav||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Description Christopher M. Tan 2002-12-20 15:10:35 UTC
Overview Description: No WWW-Authenticate header is returned when access to a URI indicated in the "Destination:" header of a request fails authentication. Steps to Reproduce: 1. Try copying a file from a normal area to a password-protected area without supplying any authentication information (I used http://test.webdav.org/dav as my normal area, and http://test.webdav.org/auth-basic as my password-protected area). Note: "normal area" refers to an area not requiring authorization. Actual Results: The copy failed and a "401 Unauthorized" message was returned from the server. However, the "401 Unauthorized" message did not contain a "WWW-Authenticate" header as the HTTP/1.1 specs mention it should. Expected Results: The copy should fail and a "401 Unauthorized" message should be returned from the server containing a "WWW-Authenticate" header. The HTTP/1.1 specs mention that this header *must* be included in a 401 response. Build Date & Platform: Apache/2.0.41-dev (Unix) DAV/2 SVN/0.14.2 (dev build) The server is running the mod_dav and mod_dav_fs modules. Additional Builds and Platforms: It has been mentioned that this problem occurs with Apache 1.3/mod_dav 1.0. Additional Information: This also occurs on a MOVE (or any request with a "Destination" URI requiring Authorization). From the dav-dev mailing list: "...the 401 is being generated in an Apache "subrequest", but the WWW-Auth header is not being promoted to the "real" request, so it gets lost..."
Comment 1 Joshua Slive 2002-12-23 23:23:28 UTC
It would certainly be helpful if you could try this with a more recent version of apache. 2.0.41-dev is quite old.
Comment 2 Joshua Slive 2003-07-24 18:02:59 UTC
No response from submitter. Assuming issue is resolved.
Comment 3 Joe Orton 2003-07-24 18:56:47 UTC
This is a real bug, there's a fix in the mod_dav 1.0 tree which can be ported over.
Comment 4 Jeff Trawick 2003-11-11 21:35:06 UTC
I suspect that the fix below is what is needed. I haven't found the mod_dav 1.0 change yet, but I found this change entry: "if a lock fails due to authentication problems, return a 403 (Forbidden) rather than 401 (Unauthorized). this fixes an HTTP conformance issue where we returned 401 but no WWW-Authenticate response header. (Joe Orton)" I'm guessing this is Joe's fix... patch to 2.0's mod_dav: Index: util.c =================================================================== RCS file: /home/cvs/httpd-2.0/modules/dav/main/util.c,v retrieving revision 1.48 diff -u -r1.48 util.c --- util.c 22 Apr 2003 21:52:46 -0000 1.48 +++ util.c 11 Nov 2003 21:30:58 -0000 @@ -1212,7 +1212,7 @@ "\" submitted a locktoken created " "by user \"", lock->auth_user, "\".", NULL); - return dav_new_error(p, HTTP_UNAUTHORIZED, 0, errmsg); + return dav_new_error(p, HTTP_FORBIDDEN, 0, errmsg); } /*
Comment 5 Joe Orton 2003-11-11 21:40:15 UTC
The fix I used was to copy over the www-auth header from the subrequest to the main request, I can dig it out...
Comment 6 Joe Orton 2003-12-09 12:44:45 UTC
Committed to HEAD, proposed to backport to 2.0: http://cvs.apache.org/viewcvs/httpd-2.0/modules/dav/main/mod_dav.c.diff?r1=1.100&r2=1.101 Thanks for the report.