httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Edward Ned Harvey <>
Subject Re: [users@httpd] A couple of questions about mod_authz_ldap
Date Fri, 08 May 2009 15:25:17 GMT
Perhaps I'm not properly distinguishing authentication and authorization.

In order to get anywhere, the user has already authenticated.  However,
there are some pages where a user should not be authorized, and rather than
prompt them to re-authenticate, I want to display something saying they're
not authorized.

I currently have "require user" in the .htaccess file, and the behavior is
to continually prompt the user to re-authenticate when they attempt to
access a page where they should not be authorized.

Does anybody know of any way for me to change something and get better
behavior?  I don't care about RFC's and whether browsers are conforming or
not.  I only care about getting the desired behavior.

Thanks again...

On 5/7/09 4:02 PM, "Tom Evans" <> wrote:

> On Wed, 2009-05-06 at 00:21 -0400, Edward Ned Harvey wrote:
>> I have mod_authnz_ldap_module loaded and working properly.  Users can
>> login and navigate to pages where they are granted "Require User" but
>> when the user navigates to a page where they have no access, it
>> prompts them again to login, and just keeps prompting for username &
>> password again.  I would prefer to have an error message, "Access
>> Denied" instead of prompting again for username & pass.
>> Is this an obvious situation to somebody here?  Should I provide more
>> details?  Should I post the question someplace else?
>> Thanks for your help...
> Apache already does this, but your browser does not display it.
> Strictly speaking, apache never prompts a user to login, it simply
> informs them, via a 403 response, that authorisation is required. Your
> browser then interprets this as a request to prompt you for
> authorisation credentials, which it then resubmits. The RFC is telling
> on this point, and most browsers ignore it (important sentence starred):
>         10.4.2 401 Unauthorized
>         The request requires user authentication. The response MUST
>         include a WWW-Authenticate header field (section 14.47)
>         containing a challenge applicable to the requested resource. The
>         client MAY repeat the request with a suitable Authorization
>         header field (section 14.8). If the request already included
>         Authorization credentials, then the 401 response indicates that
>         authorization has been refused for those credentials. **If the
>         401 response contains the same challenge as the prior response,
>         and the user agent has already attempted authentication at least
>         once, then the user SHOULD be presented the entity that was
>         given in the response, since that entity might include relevant
>         diagnostic information.** HTTP access authentication is
>         explained in "HTTP Authentication: Basic and Digest Access
>         Authentication"
> If your browser continually prompts you for a username having supplied
> one, without showing you the error page returned by apache, it isn't
> following the RFC :)
> You can of course customise the error document returned with the
> ErrorDocument directive, perhaps if that is large enough that might
> cause the browser to display (qv internet explorer 404 pages).
> Cheers
> Tom
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:> for more info.
> To unsubscribe, e-mail:
>    "   from the digest:
> For additional commands, e-mail:

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message