Re: AuthzSendUnauthorizeOnFailure?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Oct 2, 2019, at 5:53 PM, Jack Simmons <goldendev@xxxxxxx.INVALID> wrote:
> Is it possible to force apache to return HTTP 401 instead of HTTP [403] if any condition inside RequireAll fails?

The two codes mean different things.

401 basically means “hey, you need to login or login again” (Unauthorized) while 403 means “Hey, I know you logged in, but you aren’t allowed to access this” (Forbidden).

> Yet if I will put "Require env SMTH" additionally, apache will check "Require valid user" but then, after it will fail with "denied (no authentocated user yet)", it will also check my second "Require" and will fail just with "denied" and throw HTTP 403. I think this is a bug. Why apache checks for a second Require in RequireAll if the first one failed already?

Digging far into the recesses of my memory, RequireAll always checks every clause because, for example, you can do something like this:

<RequireAll>
Require all granted
Require not ip 10.252.46.165
</RequireAll>

Which allows all users UNLESS they are from 10.252.46.165

<https://httpd.apache.org/docs/2.4/howto/access.html>

The purpose of <requireAll> is to group things into one logical block. If you want things to fail in order without checking other conditions, don’t use requireAll?



-- 
I'm just going to go home, lie down, and listen to country
music. The music of pain.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux