Bug 37287

Summary: Optionally make mod_auth return HTTP_FORBIDEEN for failed login attempts
Product: Apache httpd-2 Reporter: Martin Knoblauch <spamtrap>
Component: mod_authAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED DUPLICATE    
Severity: enhancement Keywords: PatchAvailable
Priority: P3    
Version: 2.0.55   
Target Milestone: ---   
Hardware: All   
OS: All   
URL: http://www.knobisoft.de
Attachments: Patch that adds AuthTolerant to mod_auth.c

Description Martin Knoblauch 2005-10-28 11:02:14 UTC
In order to "harden" some pages on a HTTPS server, I have deployed the
"FakeBasicAuth" method from mod_ssl. This works almost OK, but has the annoying
effect that people whose CN does not match the allowed set for a page get the
login-popup in their browser. For FakeBasicAuth this makes no sense, as:

a) this is supposed to be an automatic process
b) the user cannot legally supply valid credentials manually anyway.

I solved this by developing the attached small patch for mod_auth. If the new
keyword "AuthTolerant" is set to no, 403 is sent instead of 401.

Not sure whether this is a (good) solution, but I believe it is useful.

Cheers
Martin
Comment 1 Martin Knoblauch 2005-10-28 11:05:48 UTC
Created attachment 16827 [details]
Patch that adds AuthTolerant to mod_auth.c
Comment 2 Nick Kew 2005-10-28 12:09:28 UTC
Thanks for the patch - having it here may benefit someone (though it looks as 
if at least one of your versions isn't what it claims to be). 
 
I don't think this change is very likely to happen in 2.0.  But it's a fair 
topic for discussion regarding future versions.  Why not post to dev@httpd? 
 
Comment 3 Martin Knoblauch 2005-10-28 12:41:09 UTC
?? Oh, I see 54 vs. 55. There are no changes in mod_auth.c between 2.0.54 and
2.0.55. I made the changes to my 2.0.55 tree. Therefore the diff is technically
correct :-)

 I agree that post-2.0 is a more likely place for adoption of this. I just
posted the bug to have the patch documented. Your suggestion to post to the
developers list makes sense. I will do so, although I do not do apache
develpment on a regular basis.
Comment 4 Stefan Fritsch 2011-06-13 20:48:03 UTC
Trunk has AuthzSendForbiddenOnFailure

*** This bug has been marked as a duplicate of bug 40721 ***