From nobody@hyperreal.org Mon Jul 7 11:33:16 1997 Received: (from nobody@localhost) by hyperreal.org (8.8.5/8.8.5) id LAA29149; Mon, 7 Jul 1997 11:33:16 -0700 (PDT) Message-Id: <199707071833.LAA29149@hyperreal.org> Date: Mon, 7 Jul 1997 11:33:16 -0700 (PDT) From: David Saez Reply-To: david@ols.es To: apbugs@hyperreal.org Subject: Not prompting for username/password when defining ErrorDocument X-Send-Pr-Version: 3.2 >Number: 831 >Category: mod_auth-any >Synopsis: Not prompting for username/password when defining ErrorDocument >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Jul 7 11:40:01 1997 >Originator: david@ols.es >Organization: >Release: 1.2 >Environment: SunOS axil 5.5 Generic sun4m sparc sun4m GNU gcc 2.7.2 >Description: When protecting a directory with some kind of authentification (both AuthUserFile and AuthExternal tested) in .htaccess or access.conf (both tested) and defining ErrorDocument 401 in srm.conf nobody is prompted for username/password and gets directly the document pointed by the ErrorDocument 401. >How-To-Repeat: ----- srm.conf ------ ErrorDocument 401 http://web.ols.es/messages/401.html ---- access.conf ---- AllowOverride All Options Indexes AuthUserFile /usr/local/etc/httpd/test.psw AuthName TEST AuthType Basic order deny,allow allow from all require valid-user >Fix: nope >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: marc State-Changed-When: Mon Jul 7 11:46:01 PDT 1997 State-Changed-Why: There are several closed PRs in the database on this same subject, and it is documented in the FAQ. You can not use a remote URL due to the way authentication works. You have to use one on the local server, ie. in the form /messages/401.html not http://foo/message/401.html. From: Marc Slemko To: David Saez Padros Subject: Re: mod_auth-any/831: Not prompting for username/password when defining ErrorDocument Date: Mon, 7 Jul 1997 13:35:24 -0600 (MDT) On Mon, 7 Jul 1997, David Saez Padros wrote: > The problem is that I'm hosting virtual hosts in each machine and > would like to have error responses for each virtual server and > machine to be the same html file. If I make error responses to > be relative I have to redirect it to the apropiate url, and do > the same each time I add a virtual server. The only solution I can think of offhand would be a global alias that mapped a certain path under each virtual domain to the main server. > > BTW, it does not look too clear to me why it must happens The normal way of notifiying a client that authorization is required is to send a 401 response. That notifies the client that authorization is required. The normal way to tell the client that authorization failed is to send another 401 with a failure message. If you have an ErrorDocument for 401 responses that points to a http:// URL, then Apache must send a redirect with a Location: header to tell the client to get that resource. That means it can't send a 401 which means the client never knows authorization is required. URLs without a method can be handled as internal redirects, without sending one to the client, avoiding this problem. In your case, since it is on the same server, it would be possible for Apache to look at the URL and figure out that it really is on the same server and do the internal rewrite, but that is a complicated issue and can be a bad thing to do. >Unformatted: >Last-Modified: Mon Jul 7 11:46:02 PDT 1997