www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Scherg <Rainer.Sch...@rexroth.de>
Subject mod_auth-any/6292: Problem in authentification module chain
Date Mon, 10 Jul 2000 09:14:32 GMT

>Number:         6292
>Category:       mod_auth-any
>Synopsis:       Problem in authentification module chain
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Jul 10 02:20:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Rainer.Scherg@rexroth.de
>Release:        1.3.x
>Organization:
apache
>Environment:
Sun Solaris, GCC
>Description:
Hi!

This is a small design bug, which should be IMO fixed.

When using several chained authentification modules in apache, you can pass
a failed authentification to the next auth-module in chain (e.g. by
configuring AuthAuthoritative Off [mod_auth.c]).

If the auth request is passing the last module (without being authentificated),
you will get an internal server error (the auth. request is passes into
nirwana). You have to close the browser to make this error go away
(to enforce a new authentification).

>How-To-Repeat:
use on or more Auth-Modules, configured to pass the authent. to the next module
in chain e.g. with Configs like "AuthAuthoritative Off"
>Fix:
There should be a small and simple module "mod_auth_fail.c" installed als last
module in the auth. chain to prevent an error 500. If all auth modules
are passing the auth-request to the next in chain, this modules
enforces a negative authentification at the end of the auth chain.

This could also be done by proper (re-)configuration of all .htaccess files on
the server - but in our case we had to rearrange the order of our
auth. modules. So we hit this design bug.

>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]
 
 


Mime
View raw message