On Fri, 2009-05-08 at 11:25 -0400, Edward Ned Harvey wrote: > Perhaps I'm not properly distinguishing authentication and authorization. > > In order to get anywhere, the user has already authenticated. However, > there are some pages where a user should not be authorized, and rather than > prompt them to re-authenticate, I want to display something saying they're > not authorized. > > I currently have "require user" in the .htaccess file, and the behavior is > to continually prompt the user to re-authenticate when they attempt to > access a page where they should not be authorized. > > Does anybody know of any way for me to change something and get better > behavior? I don't care about RFC's and whether browsers are conforming or > not. I only care about getting the desired behavior. > > Thanks again... > > > > > On 5/7/09 4:02 PM, "Tom Evans" <tevans...@googlemail.com> wrote: > > > On Wed, 2009-05-06 at 00:21 -0400, Edward Ned Harvey wrote: > >> I have mod_authnz_ldap_module loaded and working properly. Users can > >> login and navigate to pages where they are granted "Require User" but > >> when the user navigates to a page where they have no access, it > >> prompts them again to login, and just keeps prompting for username & > >> password again. I would prefer to have an error message, "Access > >> Denied" instead of prompting again for username & pass. > >> > >> Is this an obvious situation to somebody here? Should I provide more > >> details? Should I post the question someplace else? > >> > >> Thanks for your help... > > > > Apache already does this, but your browser does not display it. > > > > Strictly speaking, apache never prompts a user to login, it simply > > informs them, via a 403 response, that authorisation is required. Your > > browser then interprets this as a request to prompt you for > > authorisation credentials, which it then resubmits. The RFC is telling > > on this point, and most browsers ignore it (important sentence starred): > > > > 10.4.2 401 Unauthorized > > The request requires user authentication. The response MUST > > include a WWW-Authenticate header field (section 14.47) > > containing a challenge applicable to the requested resource. The > > client MAY repeat the request with a suitable Authorization > > header field (section 14.8). If the request already included > > Authorization credentials, then the 401 response indicates that > > authorization has been refused for those credentials. **If the > > 401 response contains the same challenge as the prior response, > > and the user agent has already attempted authentication at least > > once, then the user SHOULD be presented the entity that was > > given in the response, since that entity might include relevant > > diagnostic information.** HTTP access authentication is > > explained in "HTTP Authentication: Basic and Digest Access > > Authentication" > > > > If your browser continually prompts you for a username having supplied > > one, without showing you the error page returned by apache, it isn't > > following the RFC :) > > > > You can of course customise the error document returned with the > > ErrorDocument directive, perhaps if that is large enough that might > > cause the browser to display (qv internet explorer 404 pages). > > > > Cheers > > > > Tom > > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server Project. > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > " from the digest: users-digest-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > >
And how would users who have a different set of credentials they could use for this second URL enter those credentials? The RFC specifies a 401 response in this scenario to allow a UA to resubmit different credentials. You might not care about the RFC, but Apache and browsers mostly do. The behaviour you want goes against the behaviour described in the RFC, so to get it you would need to have a custom authorization system. Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
