Bug 48807 - Design policy of "aaa module" is incomplete because of hard coded string.
Summary: Design policy of "aaa module" is incomplete because of hard coded string.
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.2.14
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: FixedInTrunk
Depends on:
Reported: 2010-02-24 12:09 UTC by lepidum
Modified: 2012-02-26 17:02 UTC (History)
0 users

for protocol.c (673 bytes, application/octet-stream)
2010-02-24 12:09 UTC, lepidum

Note You need to log in before you can comment on or make changes to this bug.
Description lepidum 2010-02-24 12:09:01 UTC
Created attachment 25050 [details]
for protocol.c

I'm coding a new authentication module and have some trouble with adding a proper 'WWW-Authenticate' header.

Apaceh2 separates aaa module to mod_auth_X and mod_authz_Y.
In current implementation, if mod_auth_X authenticates user 'foo' successfully and
mod_authz_Y does not authorize 'foo', mod_authz_Y calls function 'ap_note_auth_failure()'.
This function gets the authentication scheme by calling 'ap_auth_type(r)' and adds the associated 'WWW-Authenticate' header.

There are hard-coded invocations of 'ap_note_X_auth_failure' where X is 'basic' or 'digest', and there are almost same function in mod_auth_X as 'ap_note_X_auth_failure'.
This design also causes problem when making a new authentication module without editing 'server/protocol.c'.

I think the routine should reside only in mod_auth_X.
The following patch solves only the new scheme problem by setting a 'note-auth-failure' property in mod_auth_X.
'ap_note_X_auth_failure' in 'server/protocol.c' are not touched but can be removed by the same way.

The reason of the list structure has multiple headers.

(This issue was found during "HTTP Mutual Access Authentication Protocol" development. 
http://tools.ietf.org/html/draft-oiwa-http-mutualauth , 
https://www.rcis.aist.go.jp/special/MutualAuth/index-en.html ,
https://www.rcis.aist.go.jp/special/MutualAuth/software/mod_auth_mutual/index-en.html )
Comment 1 Stefan Fritsch 2010-07-04 17:20:38 UTC
In trunk, I have solved this by allowing modules to hook into ap_note_auth_failure. Commited in r960399
Comment 2 Stefan Fritsch 2012-02-26 17:02:41 UTC
fixed in 2.4.1