In order to "harden" some pages on a HTTPS server, I have deployed the "FakeBasicAuth" method from mod_ssl. This works almost OK, but has the annoying effect that people whose CN does not match the allowed set for a page get the login-popup in their browser. For FakeBasicAuth this makes no sense, as: a) this is supposed to be an automatic process b) the user cannot legally supply valid credentials manually anyway. I solved this by developing the attached small patch for mod_auth. If the new keyword "AuthTolerant" is set to no, 403 is sent instead of 401. Not sure whether this is a (good) solution, but I believe it is useful. Cheers Martin
Created attachment 16827 [details] Patch that adds AuthTolerant to mod_auth.c
Thanks for the patch - having it here may benefit someone (though it looks as if at least one of your versions isn't what it claims to be). I don't think this change is very likely to happen in 2.0. But it's a fair topic for discussion regarding future versions. Why not post to dev@httpd?
?? Oh, I see 54 vs. 55. There are no changes in mod_auth.c between 2.0.54 and 2.0.55. I made the changes to my 2.0.55 tree. Therefore the diff is technically correct :-) I agree that post-2.0 is a more likely place for adoption of this. I just posted the bug to have the patch documented. Your suggestion to post to the developers list makes sense. I will do so, although I do not do apache develpment on a regular basis.
Trunk has AuthzSendForbiddenOnFailure *** This bug has been marked as a duplicate of bug 40721 ***