Marcel Weber wrote: > > Fixed some errors. Here comes the working version: >
<untested> I think you might need to iterate through $r->err_headers_out and remove WWW-Authenticate and Proxy-Authenticate after each authentication module runs. say you have an AuthSMB and AythSybase chain. AuthSMB calls note_basic_auth_failure and sets the WWW-Authenticate header, AuthSybase succeeds and sets the Authorizaion header. in this case, both WWW-Authenticate and Authorization will be passed to the browser (I think), which could lead to spurious results in some browsers. </untested> also, you might want to check specifically for AUTH_REQUIRED instead of OK in the chain. AUTH_REQUIRED is not the only return code that get_basic_auth_pw can return (SERVER_ERROR and DECLINED are also possible) and you probably would want to propagate a SERVER_ERROR rather than returning AUTH_REQUIRED. HTH --Geoff