hi all in 2.1 there is no supported API for a digest provider to deny a user outright before a password match is tried.
digest providers are currently limited to AUTH_USER_NOT_FOUND or AUTH_GENERAL_ERROR for errors. recent changes in AUTH_GENERAL_ERROR make it return 500 to match how Basic auth is handled, and AUTH_USER_NOT_FOUND releases control to the next provider in the chain. this all leaves digest providers without a way to return 401 and stop the authentication chain. basic providers, however, can use AUTH_DENIED to accomplish this. so, I'd like to support AUTH_DENIED from digest providers as well. this simple patch is all that is required. --Geoff
Index: modules/aaa/mod_auth_digest.c =================================================================== RCS file: /home/cvs/httpd-2.0/modules/aaa/mod_auth_digest.c,v retrieving revision 1.87 diff -u -r1.87 mod_auth_digest.c --- modules/aaa/mod_auth_digest.c 23 Mar 2004 13:57:48 -0000 1.87 +++ modules/aaa/mod_auth_digest.c 5 Apr 2004 13:33:10 -0000 @@ -1777,6 +1777,14 @@ else if (return_code == AUTH_USER_FOUND) { /* we have a password, so continue */ } + else if (return_code == AUTH_DENIED) { + /* authentication denied in the provider before attempting a match */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Digest: user `%s' in realm `%s' denied by provider: %s", + r->user, conf->realm, r->uri); + note_digest_auth_failure(r, conf, resp, 0); + return HTTP_UNAUTHORIZED; + } else { /* AUTH_GENERAL_ERROR (or worse) * We'll assume that the module has already said what its error