hi all
in 2.1 there is no supported API for a digest provider to deny a user
outright before a password match is tried.
digest providers are currently limited to AUTH_USER_NOT_FOUND or
AUTH_GENERAL_ERROR for errors. recent changes in AUTH_GENERAL_ERROR make it
return 500 to match how Basic auth is handled, and AUTH_USER_NOT_FOUND
releases control to the next provider in the chain. this all leaves digest
providers without a way to return 401 and stop the authentication chain.
basic providers, however, can use AUTH_DENIED to accomplish this.
so, I'd like to support AUTH_DENIED from digest providers as well. this
simple patch is all that is required.
--Geoff
Index: modules/aaa/mod_auth_digest.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/aaa/mod_auth_digest.c,v
retrieving revision 1.87
diff -u -r1.87 mod_auth_digest.c
--- modules/aaa/mod_auth_digest.c 23 Mar 2004 13:57:48 -0000 1.87
+++ modules/aaa/mod_auth_digest.c 5 Apr 2004 13:33:10 -0000
@@ -1777,6 +1777,14 @@
else if (return_code == AUTH_USER_FOUND) {
/* we have a password, so continue */
}
+ else if (return_code == AUTH_DENIED) {
+ /* authentication denied in the provider before attempting a match */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Digest: user `%s' in realm `%s' denied by provider: %s",
+ r->user, conf->realm, r->uri);
+ note_digest_auth_failure(r, conf, resp, 0);
+ return HTTP_UNAUTHORIZED;
+ }
else {
/* AUTH_GENERAL_ERROR (or worse)
* We'll assume that the module has already said what its error
