add security warning about the new AuthzSendForbiddenOnFailure directive.

author André Malo <nd@apache.org>

Sat, 18 Dec 2010 19:56:54 +0000 (19:56 +0000)

committer André Malo <nd@apache.org>

Sat, 18 Dec 2010 19:56:54 +0000 (19:56 +0000)
author André Malo <nd@apache.org>
Sat, 18 Dec 2010 19:56:54 +0000 (19:56 +0000)
committer André Malo <nd@apache.org>
Sat, 18 Dec 2010 19:56:54 +0000 (19:56 +0000)
diff --git a/docs/manual/mod/mod_authz_core.xml b/docs/manual/mod/mod_authz_core.xml

index 262240d48679cefb6b3db75e2dabcca8592c0aaf..03a3648ff36a75d7e0f22d2a86d8ee78d6dc5d47 100644 (file)
--- a/docs/manual/mod/mod_authz_core.xml
+++ b/docs/manual/mod/mod_authz_core.xml
@@ -603,6 +603,12 @@ authentication succeeds but authorization fails
      again, which is not wanted in all situations.
      <directive>AuthzSendForbiddenOnFailure</directive> allows to change the
      response code to '403 FORBIDDEN'.</p>
+
+    <note type="warning"><title>Security Warning</title>
+    <p>Modifying the response in case of missing authorization weakens the
+    security of the password, because it reveals to a possible attacker, that
+    his guessed password was right.</p>
+    </note>
  </usage>
  </directivesynopsis>
author	André Malo <nd@apache.org>
	Sat, 18 Dec 2010 19:56:54 +0000 (19:56 +0000)
committer	André Malo <nd@apache.org>
	Sat, 18 Dec 2010 19:56:54 +0000 (19:56 +0000)