On 02.03.2016 17:53, Matthias Schmitt wrote:
Hello,
I am trying to handle basic authentication using mod_perl 2.0.9 and Apache
2.4.18.
I am getting the first request to my resource. The user is requesting the URL
without any username or password. My program should refuse the access to this
resource and force the web browser to offer a dialogue box with realm, username
and password. Here is what I tried:
$o_Req->auth_name('Login');
$o_Req->auth_type('Basic');
$o_Req->note_basic_auth_failure();
return Apache2::Const::HTTP_UNAUTHORIZED;
In fact the browser gets the 401 message, but does not open any dialog box. When
debugging with curl I can see the "HTTP/1.1 401 Unauthorized” header, but I
cannot see any trace of the authentication type “Basic” or name “Login”. So I try to
send them manually:
$o_Req->note_basic_auth_failure();
$o_Req->headers_out->set('WWW-Authenticate' => "Basic");
$o_Req->headers_out->set('Realm' => "Login");
I believe that the above is supposed to be a single HTTP header, not 2 :
WWW-Authenticate: Basic realm="Login"
return Apache2::Const::HTTP_UNAUTHORIZED;
but I still cannot see the authentication type or name. I tried with a
different return code “AUTH_REQUIRED”, but there was no difference in
behaviour. Where is the difference between HTTP_UNAUTHORIZED and AUTH_REQUIRED?
I assume the browser does not open the dialog box for requesting the username
and password, because he did not receive the realm name and authentication
type. So how I can send these?
BTW, the same Programm runs fine using mod_perl 2.0.6 and Apache 2.2.x.
There are some significant differences between the Apache 2.4 AAA logic and the
2.2 logic.
Have a look at CPAN. Search for Apache::AuthCookie, and look at the documents with the 2.4
suffix. There is an overview of the differences.
Another thing : above, you call your code "program". At what stage of the Apache request
cycle are you calling this code ? is this a Response handler, a PerlAuthenHandler, a
cgi-bin script ?