Allow Digest providers to return AUTH_DENIED to propagate a 401

status and terminate the provider chain prior to checking the password.
Reviewed by:	justin

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103271 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 217dcf497880cf0da824b2094abeb2b3e82d0f7a..8d239a457d0767f4debd68b7daedbf6a6129aa08 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) Allow Digest providers to return AUTH_DENIED to propagate a 401
+     status and terminate the provider chain prior to checking the password.
+     [Geoffrey Young]
+
   *) Allow RequestHeader directives to be conditional. PR 27951.
      [Vincent Deffontaines <vincent gryzor.com>, André Malo]
 

diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
index c804abd9445008e1965419a36dc22c786dd0594c..78b4fbc8d9875be47b52900eefb71b44913405a2 100644 (file)
--- a/modules/aaa/mod_auth_digest.c
+++ b/modules/aaa/mod_auth_digest.c
@@ -1777,6 +1777,14 @@ static int authenticate_digest_user(request_rec *r)
     else if (return_code == AUTH_USER_FOUND) {
         /* we have a password, so continue */
     }
+    else if (return_code == AUTH_DENIED) {
+        /* authentication denied in the provider before attempting a match */
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "Digest: user `%s' in realm `%s' denied by provider: %s",
+                      r->user, conf->realm, r->uri);
+        note_digest_auth_failure(r, conf, resp, 0);
+        return HTTP_UNAUTHORIZED;
+    }
     else {
         /* AUTH_GENERAL_ERROR (or worse)
          * We'll assume that the module has already said what its error