Re: A couple of questions about mod_authz_ldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Edward Harvey wrote:
And how would users who have a different set of credentials they could
use for this second URL enter those credentials? The RFC specifies a 401
response in this scenario to allow a UA to resubmit different
credentials.

You might not care about the RFC, but Apache and browsers mostly do. The
behaviour you want goes against the behaviour described in the RFC, so
to get it you would need to have a custom authorization system.

Well, so I'm acknowledging there's no way to do what I want to do, but
I'll respond to this anyway.

Suppose somebody were to launch an FTP client and browse a remote
site.  If they attempt to access an area where they are denied access,
they would get "access denied" and then they would know they got
access denied with the current credentials.  If they have another set
of credentials, they will know they should reconnect with different
credentials.

If they're already authenticated and browsing along a website and try
to access a restricted item, they don't get "access denied" they get
"please enter your username/password" which is identical behavior as
unauthenticated users.  The users that I support generally think to
themselves, "I thought I already did?"  And they retry and retry until
they finally conclude that isn't going to work.

Each browser has a different way of allowing a user to re-authenticate
with different credentials.  Some have more than one way.

So I acknowledge the world isn't perfect, you don't always get
everything you want, but I do want you to acknowledge one thing, if
you please:

If a user is already authenticated, and they try to access something
which is denied, then it is more useful to communicate to the user
"Your current credentials were denied" and "You may now authenticate
with different credentials if you wish" instead of giving them the
"Please enter username/password" prompt which is identical to an
unauthenticated user.

Without letting this degenerate into a flame.. (or is it a troll ?)
You are probably right.
But what the previous person was telling you, is that it is not a problem of Apache, it is a problem of the browser. The HTTP protocol RFC indicates what the server should do, which is to send a 401 response. There is a reason for that : the HTTP protocol is state-less, which means that each request is independent of previous and following ones.
In-between each request, the server forgets everything.

So the server does not know that this is the nth time that this same user resubmitted a request with bad credentials, so it has to send the same answer each time.
And the answer can only consist of a status code, which is 401.
The server does not control the dialog that the browser pops up.

However, the browser knows (that this is the nth time this same request was refused because of wrong credentials), and the browser could pop up a different message in its dialog after it gets, say, 2 consecutive 401 responses. But this is a discussion to have with the people who make the browser, which is not what this list is about.




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux