hi all

in 2.1 there is no supported API for a digest provider to deny a user
outright before a password match is tried.

digest providers are currently limited to AUTH_USER_NOT_FOUND or
AUTH_GENERAL_ERROR for errors.  recent changes in AUTH_GENERAL_ERROR make it
return 500 to match how Basic auth is handled, and AUTH_USER_NOT_FOUND
releases control to the next provider in the chain.  this all leaves digest
providers without a way to return 401 and stop the authentication chain.
basic providers, however, can use AUTH_DENIED to accomplish this.

so, I'd like to support AUTH_DENIED from digest providers as well.  this
simple patch is all that is required.

--Geoff
Index: modules/aaa/mod_auth_digest.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/aaa/mod_auth_digest.c,v
retrieving revision 1.87
diff -u -r1.87 mod_auth_digest.c
--- modules/aaa/mod_auth_digest.c	23 Mar 2004 13:57:48 -0000	1.87
+++ modules/aaa/mod_auth_digest.c	5 Apr 2004 13:33:10 -0000
@@ -1777,6 +1777,14 @@
     else if (return_code == AUTH_USER_FOUND) {
         /* we have a password, so continue */
     }
+    else if (return_code == AUTH_DENIED) {
+        /* authentication denied in the provider before attempting a match */
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "Digest: user `%s' in realm `%s' denied by provider: %s",
+                      r->user, conf->realm, r->uri);
+        note_digest_auth_failure(r, conf, resp, 0);
+        return HTTP_UNAUTHORIZED;
+    }
     else {
         /* AUTH_GENERAL_ERROR (or worse)
          * We'll assume that the module has already said what its error

Reply via email to