> currently, mod_auth_basic and mod_auth_digest behave inconsistently
> in some cases. for example, if i enter a wrong user/pw combination,
> mod_auth_basic writes the following logline (i.e. without a username)
...
> another inconsistency would be that if the authentication provider
> reports and internal error, mod_auth_basic produces an "internal server
> error" whereas mod_auth_diges produces a "user not found" message, both
> to the client an in the logs.
>
> there are probably other edge cases where the two modules behave
> inconsistenly. ideally, if i change the paramter of AuthType,
> other things should stay the same in every possible way.
yeah, that would certainly be a good idea. give the attached patches a whirl
and see if they work for you. feedback from justin or others that are
familiar appreciated :)
--Geoff
Index: modules/aaa/mod_auth_basic.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_auth_basic.c,v
retrieving revision 1.16
diff -u -r1.16 mod_auth_basic.c
--- modules/aaa/mod_auth_basic.c 9 Feb 2004 20:29:17 -0000 1.16
+++ modules/aaa/mod_auth_basic.c 19 Feb 2004 17:14:33 -0000
@@ -176,6 +176,9 @@
*user = ap_getword_nulls(r->pool, (const char**)&decoded_line, ':');
*pw = decoded_line;
+ /* set the user, even though the user is unauthenticated at this point */
+ r->user = (char *) *user;
+
return OK;
}
Index: modules/aaa/mod_auth_digest.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_auth_digest.c,v
retrieving revision 1.85
diff -u -r1.85 mod_auth_digest.c
--- modules/aaa/mod_auth_digest.c 9 Feb 2004 20:29:17 -0000 1.85
+++ modules/aaa/mod_auth_digest.c 19 Feb 2004 17:14:25 -0000
@@ -1328,8 +1328,8 @@
* Authorization header verification code
*/
-static const char *get_hash(request_rec *r, const char *user,
- digest_config_rec *conf)
+static authn_status get_hash(request_rec *r, const char *user,
+ digest_config_rec *conf)
{
authn_status auth_result;
char *password;
@@ -1374,12 +1374,11 @@
current_provider = current_provider->next;
} while (current_provider);
- if (auth_result != AUTH_USER_FOUND) {
- return NULL;
- }
- else {
- return password;
+ if (auth_result == AUTH_USER_FOUND) {
+ conf->ha1 = password;
}
+
+ return auth_result;
}
static int check_nc(const request_rec *r, const digest_header_rec *resp,
@@ -1593,6 +1592,7 @@
request_rec *mainreq;
const char *t;
int res;
+ authn_status return_code;
/* do we require Digest auth for this URI? */
@@ -1738,14 +1738,25 @@
return HTTP_UNAUTHORIZED;
}
- if (!(conf->ha1 = get_hash(r, r->user, conf))) {
+ return_code = get_hash(r, r->user, conf);
+
+ if (return_code == AUTH_USER_NOT_FOUND) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Digest: user `%s' in realm `%s' not found: %s",
r->user, conf->realm, r->uri);
note_digest_auth_failure(r, conf, resp, 0);
return HTTP_UNAUTHORIZED;
}
-
+ else if (return_code == AUTH_USER_FOUND) {
+ /* we have a password, so continue */
+ }
+ else {
+ /* AUTH_GENERAL_ERROR (or worse)
+ * We'll assume that the module has already said what its error
+ * was in the logs.
+ */
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
if (resp->message_qop == NULL) {
/* old (rfc-2069) style digest */
