Digest auth doesn't cooperate well with subrequests, because it insists on using the URI from the Auth header instead of the URI in the subrequest. I may be getting some of the subtleties wrong here; please see this mail from Justin Erenkrantz for a better description: http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=50876 It's part of this thread http://subversion.tigris.org/servlets/BrowseList?list=dev&by=thread&from=135712 ...which starts with Ben Collins-Sussman explaining why Subversion's recent switch to using subrequests for authorization broke digest auth, for users who had previously been using it successfully. Oh: and later, in a private email exchange, Sander Striker tentatively confirmed Brian Fitzpatrick's outline of a solution: B. W. Fitzpatrick wrote: > So basically, mod_auth_digest needs to see if it's in > a subreq, and if it is, then ignore the URI in the > Auth header and use the uri from the subreq itself? > > Is that a correct understanding? That sounds about right. Sander
I think Fitz has it reversed. mod_auth_digest needs to use the uri of r->main, not of the subreq because the hashed nonce will be off of the original request's URI. Right now, I think it's using the subreq's uri (i.e. r->uri), but that isn't what the user sent. Hence, it can't compute the 'same' hash.
Actually, I think it shouldn't be doing anything other than checking if the subreq uri is in the same directory/location block (or, in the same auth domain), and if so, just copy what was done for the main request.
My subversion server already had a modified mod_auth_digest, so I went digging. It looks like the subreq is already using fields of the main request to check the digest, with one exception -- digest_header_rec does not have a method field. When I get these authentication failures, the subreq method doesn't match the main req's method. I added that field, set it to r->method in parse_hdr_and_update_nc(), and modified old_digest() and new_digest() to use resp->method instead of r->method, and that fixed the problem.
Created attachment 9946 [details] The changes described above in patch form (and stripped of other local changes)
Just adding the PatchAvailable keyword...
Committed to httpd-2.1 as r1.82 of modules/aaa/mod_auth_digest.c. Proposed for backport to 2.0. Will be included in the next release. Thanks!