On Wed, 2009-05-06 at 00:21 -0400, Edward Ned Harvey wrote:
> I have mod_authnz_ldap_module loaded and working properly. Users can
> login and navigate to pages where they are granted "Require User" but
> when the user navigates to a page where they have no access, it
> prompts them again to login, and just keeps prompting for username &
> password again. I would prefer to have an error message, "Access
> Denied" instead of prompting again for username & pass.
>
> Is this an obvious situation to somebody here? Should I provide more
> details? Should I post the question someplace else?
>
> Thanks for your help...
Apache already does this, but your browser does not display it.
Strictly speaking, apache never prompts a user to login, it simply
informs them, via a 403 response, that authorisation is required. Your
browser then interprets this as a request to prompt you for
authorisation credentials, which it then resubmits. The RFC is telling
on this point, and most browsers ignore it (important sentence starred):
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST
include a WWW-Authenticate header field (section 14.47)
containing a challenge applicable to the requested resource. The
client MAY repeat the request with a suitable Authorization
header field (section 14.8). If the request already included
Authorization credentials, then the 401 response indicates that
authorization has been refused for those credentials. **If the
401 response contains the same challenge as the prior response,
and the user agent has already attempted authentication at least
once, then the user SHOULD be presented the entity that was
given in the response, since that entity might include relevant
diagnostic information.** HTTP access authentication is
explained in "HTTP Authentication: Basic and Digest Access
Authentication"
If your browser continually prompts you for a username having supplied
one, without showing you the error page returned by apache, it isn't
following the RFC :)
You can of course customise the error document returned with the
ErrorDocument directive, perhaps if that is large enough that might
cause the browser to display (qv internet explorer 404 pages).
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
