Perhaps I'm not properly distinguishing authentication and authorization. In order to get anywhere, the user has already authenticated. However, there are some pages where a user should not be authorized, and rather than prompt them to re-authenticate, I want to display something saying they're not authorized. I currently have "require user" in the .htaccess file, and the behavior is to continually prompt the user to re-authenticate when they attempt to access a page where they should not be authorized. Does anybody know of any way for me to change something and get better behavior? I don't care about RFC's and whether browsers are conforming or not. I only care about getting the desired behavior. Thanks again... On 5/7/09 4:02 PM, "Tom Evans" <tevans.uk@xxxxxxxxxxxxxx> wrote: > On Wed, 2009-05-06 at 00:21 -0400, Edward Ned Harvey wrote: >> I have mod_authnz_ldap_module loaded and working properly. Users can >> login and navigate to pages where they are granted "Require User" but >> when the user navigates to a page where they have no access, it >> prompts them again to login, and just keeps prompting for username & >> password again. I would prefer to have an error message, "Access >> Denied" instead of prompting again for username & pass. >> >> Is this an obvious situation to somebody here? Should I provide more >> details? Should I post the question someplace else? >> >> Thanks for your help... > > Apache already does this, but your browser does not display it. > > Strictly speaking, apache never prompts a user to login, it simply > informs them, via a 403 response, that authorisation is required. Your > browser then interprets this as a request to prompt you for > authorisation credentials, which it then resubmits. The RFC is telling > on this point, and most browsers ignore it (important sentence starred): > > 10.4.2 401 Unauthorized > The request requires user authentication. The response MUST > include a WWW-Authenticate header field (section 14.47) > containing a challenge applicable to the requested resource. The > client MAY repeat the request with a suitable Authorization > header field (section 14.8). If the request already included > Authorization credentials, then the 401 response indicates that > authorization has been refused for those credentials. **If the > 401 response contains the same challenge as the prior response, > and the user agent has already attempted authentication at least > once, then the user SHOULD be presented the entity that was > given in the response, since that entity might include relevant > diagnostic information.** HTTP access authentication is > explained in "HTTP Authentication: Basic and Digest Access > Authentication" > > If your browser continually prompts you for a username having supplied > one, without showing you the error page returned by apache, it isn't > following the RFC :) > > You can of course customise the error document returned with the > ErrorDocument directive, perhaps if that is large enough that might > cause the browser to display (qv internet explorer 404 pages). > > Cheers > > Tom > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|