PerlAuthenHandler returns HTTP_UNAUTHORIZED (401) but Apache sends REDIRECT (302) and drops Set-Cookie and WWW-Authenticate header

Sat, 28 May 2011 12:10:45 -0700 

Using Apache/2.2.17 mod_perl/2.0.5.

We have a PerlAuthenHandler that (on failure to authenticate) sets two headers 
('Set-Cookie' and 'WWW-Authenticate' and returns HTTP_UNAUTHORIZED. We also use 
$r->custom_response to set a URL as the response body.

What I expect Apache to send to the client is something like this:

HTTP/1.1 401 Authorization Required
Date: Sat, 28 May 2011 16:30:58 GMT
Server: Apache/2.2.17 (Unix) PHP/5.3.4
WWW-Authenticate: MySpecialAuthMethod
Content-Type: text/html; charset=iso-8859-1
Content-Language: en

with a response a body containing a URL that was set with $r->custom_response 
(see example below.)

But: The response that Apache actually sends is a 302, without the 'Set-Cookie' 
or 'WWW-Authenticate' headers.

Does setting a URL as the string (second argument) to custom_response force 
Apache to turn the response into a 302 redirect?


Here is an example of the authenticate subroutine I am using?



use Apache2::Const  qw(:common :http :log);
sub authenticate {
    my ($r) = @_;

    my $handler = _load_handler($r);
    return SERVER_ERROR unless blessed $handler;

    my $auth_status
        = $handler->validateCookieWithFunction( $handler->validatorFunctions );

    if ( _status_is_success($auth_status) ) {
        return OK;
    }

    # Everything works fine up to this point.


    if ( $handler->shouldClearCookie($auth_status) ) {
        my $empty_cookie = $handler->cookieWithNoValueAndExpiresNow();
        $r->err_headers_out->add( 'Set-Cookie' => $empty_cookie );
        $r->err_headers_out->add( 'WWW-Authenticate' => 'MySpecialAuthMethod' );
        $r->log->warn(
            "authenticate: Setting/clearing cookie: '$empty_cookie'");
    }

    my $uri = URI->new( $handler->getAuthURL );
    $uri->query_form(
        myKey => $handler->getMyKey,
        path     => $r->unparsed_uri,
    );

    $handler->DESTROY;

    $r->log->warn(
        "authenticate: No AuthCookie found. Returning HTTP_UNAUTHORIZED with 
response body: '$uri'"
    );

    $r->custom_response( HTTP_UNAUTHORIZED, $uri );
    return HTTP_UNAUTHORIZED
}

# Apache actually returns a 302 with a Location: header of the $uri created 
above.
# The response does NOT have the two headers we created: 'Set-Cookie' nor 
'WWW-Authenticate'

Reply via email to