httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Edward Harvey <edward.har...@lyricsemiconductor.com>
Subject Re: [users@httpd] A couple of questions about mod_authz_ldap
Date Tue, 12 May 2009 19:41:57 GMT
> And how would users who have a different set of credentials they could
> use for this second URL enter those credentials? The RFC specifies a 401
> response in this scenario to allow a UA to resubmit different
> credentials.
>
> You might not care about the RFC, but Apache and browsers mostly do. The
> behaviour you want goes against the behaviour described in the RFC, so
> to get it you would need to have a custom authorization system.

Well, so I'm acknowledging there's no way to do what I want to do, but
I'll respond to this anyway.

Suppose somebody were to launch an FTP client and browse a remote
site.  If they attempt to access an area where they are denied access,
they would get "access denied" and then they would know they got
access denied with the current credentials.  If they have another set
of credentials, they will know they should reconnect with different
credentials.

If they're already authenticated and browsing along a website and try
to access a restricted item, they don't get "access denied" they get
"please enter your username/password" which is identical behavior as
unauthenticated users.  The users that I support generally think to
themselves, "I thought I already did?"  And they retry and retry until
they finally conclude that isn't going to work.

Each browser has a different way of allowing a user to re-authenticate
with different credentials.  Some have more than one way.

So I acknowledge the world isn't perfect, you don't always get
everything you want, but I do want you to acknowledge one thing, if
you please:

If a user is already authenticated, and they try to access something
which is denied, then it is more useful to communicate to the user
"Your current credentials were denied" and "You may now authenticate
with different credentials if you wish" instead of giving them the
"Please enter username/password" prompt which is identical to an
unauthenticated user.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message