Whilst 2.2 is, as advertised, source-compatible with 2.0 auth modules, the current implementation requires that any auth configuration using such modules is changed to add "AuthBasicAuthoritative off" otherwise mod_auth_basic will see "no provider configured -> use default file provider -> fails (since no AuthUserFile is configured) -> deny access".
(the failure mode for this is particularly ugly: after an upgrade, a previously-working configuration turns into a 500 error with a weird error message logged as ap_pcfg_openfile returns APR_EBADF when passed the NULL filename by mod_authn_file) There are lots of 2.0-compatible auth modules out there, and upgrades which require admins to make changes to .htaccess files are not very attractive, so I think it's worth solving this problem if possible. Solutions I can see: - only have mod_auth_basic be authoritative if AuthBasicProvider is configured - use some hack such that mod_auth_basic will DECLINE iff no provider is configured and mod_authn_file throws the AUTHN_GENERAL_ERROR. (attached as proof of concept) Any thoughts, better ideas? joe
--- httpd-2.2.0/modules/aaa/mod_authn_file.c.authnoprov +++ httpd-2.2.0/modules/aaa/mod_authn_file.c @@ -70,6 +70,10 @@ apr_status_t status; char *file_password = NULL; + if (!conf->pwfile) { + return AUTH_GENERAL_ERROR; + } + status = ap_pcfg_openfile(&f, r->pool, conf->pwfile); if (status != APR_SUCCESS) { --- httpd-2.2.0/modules/aaa/mod_auth_basic.c.authnoprov +++ httpd-2.2.0/modules/aaa/mod_auth_basic.c @@ -252,6 +252,14 @@ return DECLINED; } + /* If no providers were configured, and the default file + * provider gave a general error (which will happen only if + * has not been configured), presume that a non-provider-based + * authn module is configured, and get out of the way. */ + if (!conf->providers && auth_result == AUTH_GENERAL_ERROR) { + return DECLINED; + } + switch (auth_result) { case AUTH_DENIED: ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,