Received: (qmail 29609 invoked by uid 501); 10 Jul 2000 09:14:32 -0000 Message-Id: <20000710091432.29608.qmail@locus.apache.org> Date: 10 Jul 2000 09:14:32 -0000 From: Rainer Scherg Reply-To: Rainer.Scherg@rexroth.de To: submit@bugz.apache.org Subject: Problem in authentification module chain X-Send-Pr-Version: 3.110 >Number: 6292 >Category: mod_auth-any >Synopsis: Problem in authentification module chain >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Jul 10 02:20:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Rainer.Scherg@rexroth.de >Release: 1.3.x >Organization: apache >Environment: Sun Solaris, GCC >Description: Hi! This is a small design bug, which should be IMO fixed. When using several chained authentification modules in apache, you can pass a failed authentification to the next auth-module in chain (e.g. by configuring AuthAuthoritative Off [mod_auth.c]). If the auth request is passing the last module (without being authentificated), you will get an internal server error (the auth. request is passes into nirwana). You have to close the browser to make this error go away (to enforce a new authentification). >How-To-Repeat: use on or more Auth-Modules, configured to pass the authent. to the next module in chain e.g. with Configs like "AuthAuthoritative Off" >Fix: There should be a small and simple module "mod_auth_fail.c" installed als last module in the auth. chain to prevent an error 500. If all auth modules are passing the auth-request to the next in chain, this modules enforces a negative authentification at the end of the auth chain. This could also be done by proper (re-)configuration of all .htaccess files on the server - but in our case we had to rearrange the order of our auth. modules. So we hit this design bug. >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]