From: Geoffrey Young Date: Mon, 5 Apr 2004 18:00:15 +0000 (+0000) Subject: Allow Digest providers to return AUTH_DENIED to propagate a 401 X-Git-Tag: pre_ajp_proxy~415 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=67d4c4decc82db36fd96ad5f64e5f5e41d1b5bea;p=apache Allow Digest providers to return AUTH_DENIED to propagate a 401 status and terminate the provider chain prior to checking the password. Reviewed by: justin git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103271 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 217dcf4978..8d239a457d 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.1.0-dev [Remove entries to the current 2.0 section below, when backported] + *) Allow Digest providers to return AUTH_DENIED to propagate a 401 + status and terminate the provider chain prior to checking the password. + [Geoffrey Young] + *) Allow RequestHeader directives to be conditional. PR 27951. [Vincent Deffontaines , André Malo] diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c index c804abd944..78b4fbc8d9 100644 --- a/modules/aaa/mod_auth_digest.c +++ b/modules/aaa/mod_auth_digest.c @@ -1777,6 +1777,14 @@ static int authenticate_digest_user(request_rec *r) else if (return_code == AUTH_USER_FOUND) { /* we have a password, so continue */ } + else if (return_code == AUTH_DENIED) { + /* authentication denied in the provider before attempting a match */ + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Digest: user `%s' in realm `%s' denied by provider: %s", + r->user, conf->realm, r->uri); + note_digest_auth_failure(r, conf, resp, 0); + return HTTP_UNAUTHORIZED; + } else { /* AUTH_GENERAL_ERROR (or worse) * We'll assume that the module has already said what its error