>> hmm. Not sure that this will help. The 401 ErrorDocument is only >> displayed, when I finally press the "cancel" button on the login >> pop-up. I can do an infinite number of failed logins before without >> getting the ErrorDocument displayed. > >No, in fact, the ErrorDocument is delivered to the browser >immediately. It is the browser that looks at it, observes the 401 >error code, and displays a password prompt rather than the document >itself. So by sending a code other than 401, you will prevent the >prompt. thanks. just learned something new :-) >By the way, this whole discussion is premised on the assumption that >your original use of FakeBasicAuth is correct. I wouldn't be at all The use is correct, I believe. It is even documented that way. Just my use-case may be wrong :-) >surprised if there was a better way of enforcing certificate use to It is not about enforcing certificate use. That works fine as it is. What I need/want are additional restrictions on the individual certificates. >prevent this whole problem. But I don't have enough ssl knowledge >to say. > Looking at the documentation, there are two ways to achieve what I want. One is using the "FakeBasicAuth" method, the other is to formulate my filter using complex SSLRequire statements. FakeBasicAuth has the advantage of not requiring changes to the httpd configuration files and not needing to restart the server. Just edit the password file if you want to add or delete recognized sertificates. The disadvantages are the 401 problem I see and the feeling that something called FakeSomething may be a hack :-) The SSLRequire method has the advantage that it would do what I want without the 401 problem. The disadvantages are that you need to edit the config files, that you need to restart the server and that the SSLRequire statements can get very complex if you want to deal with more than a handful of certificates. Now, over the weekend I actually solved my problem by hacking up the mod_auth code to return HTTP_FORBIDDEN instead of HTTP_UNAUTHORIZED. I even added a new directive AuthTolerant in order to control the behaviour. If somebody is interested in the diffs, I am happy to supply them. Cheers Martin ------------------------------------------------------ Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|