Received: (qmail 35237 invoked by uid 501); 23 Jan 2001 09:37:32 -0000
Message-Id: <20010123093732.35236.qmail@apache.org>
Date: 23 Jan 2001 09:37:32 -0000
From: Joost Kuif <joost.kuif@cmg.nl>
Reply-To: joost.kuif@cmg.nl
To: submit@bugz.apache.org
Subject: Apache does not send WWW-Authenticate header
X-Send-Pr-Version: 3.110

>Number:         7114
>Category:       general
>Synopsis:       Apache does not send WWW-Authenticate header
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Jan 23 01:40:01 PST 2001
>Closed-Date:    Sat Feb 24 15:09:18 PST 2001
>Last-Modified:  Sat Feb 24 15:09:18 PST 2001
>Originator:     joost.kuif@cmg.nl
>Release:        1.3.14
>Organization:
>Environment:
TRU64 Unix 
OSF1 4.0 Alpha
>Description:
I am experiencing a bug in Apache.
We are running apache 1.3.12 and are using basic authentication. We use the DirectoryIndex directive (who doesn’t) so that users don’t have to type in “index.html” after our hostname.
In the webserver’s htdocs directory (DocumentRoot) we have specified: 
 
File .htaccess:
 
AuthType      Basic
AuthName      "my realm"
AuthUserFile /home/jkuif/web/conf/users
AuthGroupFile /home/jkuif/web/conf/groups
 
<Files index.html>
require valid-user
</Files>
 
 
With this configuration we experience the following problem:
 
1) A user enters the URL: www.example.com
2) The webserver will send a authentication page, but WITHOUT the WWW-Authenticate header.
3) In Internet Explorer 5.0 this missing header will result in the show of the HTML content of the http answer.
 
With a packetanalyser i see the following traffic:
 
16:40:57.706625  []  10.20.6.45.1356 > www.example.com.8091
 
HTTP =
(
    GET / HTTP/1.1
    Accept: */*
    Accept-Language: nl
    Accept-Encoding: gzip, deflate
    If-Modified-Since: Wed, 17 Jan 2001 17:14:12 GMT
    If-None-Match: "29131-323-3a65d2e4"
    User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)     Host: 10.16.247.158:8091
    Connection: Keep-Alive
)
 
 
16:40:57.724185  []  www.example.com.8091 > 10.20.6.45.1356
 
HTTP =
(
    HTTP/1.1 401 Authorization Required
    Date: Thu, 18 Jan 2001 15:40:57 GMT
    Server: Apache/1.3.12 (Unix) mod_perl/1.24 mod_ssl/2.6.6
OpenSSL/0.9.5a
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=iso-8859-1
    18d
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">     <HTML><HEAD>
    <TITLE>401 Authorization Required</TITLE>
    </HEAD><BODY>
    <H1>Authorization Required</H1>
    This server could not verify that you
    are authorized to access the document
    requested.  Either you supplied the wrong
    credentials (e.g., bad password), or your
    browser doesn't understand how to supply
    the credentials required.<P>
    </BODY></HTML>
    0
)
 
I tested the same configuration on 1.3.14, with the same results. So, with the configuration above, Apache knows it has to send the authentication stuff, but forgets to send the correct (WWW-
Authenticate) header. This flaw is only resulting in a problem with IE5. IE5 does not pop up a user/passwd dialog.
 
>How-To-Repeat:
Set the DirectoryIndex directive and use a htaccess file with a authentication configuration as described in "full description"
>Fix:
Apache is able to see that it has to send a authentication page, but only forgets to send the header, i think it won't be a problem to fix it.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open-closed
State-Changed-By: gstein
State-Changed-When: Sat Feb 24 15:09:18 PST 2001
State-Changed-Why:
patch supplied by Gertjan van Wingerde <gwingerde@home.nl>. applied for release in 1.3.19.
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]