Re: 407/403 responses

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 12 Jul 2001 14:36:39 +0200

Robert Collins wrote:

> So the question for the core team is:
> Should I get the authentication code duplicating the 2.4 behaviour -
> http_access deny line that fires on an authorisation failure (as opposed to
> authentication failure) will generate a challenge from each and every
> challenge?

As outlined before.

http_access allow/deny non_matching_proxy_auth_acl -> ignored
http_access deny proxy_auth_acl -> 407(401)
http_access deny other_acl -> 403

Not yet fully logged in, touching a proxy_auth ACL -> 407(401)

ACL processing:

User not matched by the proxy_auth ACL -> false (0).

Question: How to generate scheme challenges in the first case where the
user is authenticated but not authorized.

Answer: authenticateFixHeader needs to be aware that the header fixup is
due to authorization failure, not authentication failure, and then force
the client to send new credentials even if the current ones are valid.
This is the call to authenticateFixHeader from errorpage.c where the
last argument is 1 (currently named "internal", should probably be
"unautorized" or something similar...).

--
Henrik
Received on Thu Jul 12 2001 - 06:45:00 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:06 MST