OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[users@httpd] Apache 2.4 authentication and authorization “toggling” - with custom authentication mod


I'm upgrading Apache 2.2 to Apache 2.4, and have encountered an issue regarding authentication and authorization with a custom authentication provider. It basically authenticates via Kerberos method.

My Apache 2.4 `httpd.conf` looks like the following:

    <Directory />
        # No authentication and all requests are denied.
        Require all denied
        # Options now defaults to  FollowSymlink in apache 2.4.
        Options FollowSymLinks
        # AllowOverride now defaults to None in apache 2.4
        AllowOverride None
        Require valid-user 
        AuthType Digest 
        AuthName Customauth
    </Directory>

    <Location "/">
        Require valid-user 
        AuthType Digest
        AuthName Customauth
    </Location>

<br>
**Issue details**

My custom authentication has the option to be disabled/enabled (by default: disabled) via toggling – it has the ability to read a Boolean value from a file in my environment.

Unfortunately, when it is disabled, all of the requests are receiving 500 response from Apache, and the following errors are shown in apache_error.log:

> [Thu May 31 19:14:00.464100 2018] [authz_core:debug] [pid 5826]
> mod_authz_core.c(809): [client 172.23.90.75:50154] AH01626:
> authorization result of Require valid-user : denied (no authenticated
> user yet) 
>
>[Thu May 31 19:14:00.464109 2018] [authz_core:debug] [pid
> 5826] mod_authz_core.c(809): [client 172.23.90.75:50154] AH01626:
> authorization result of <RequireAny>: denied (no authenticated user
> yet)
> [Thu May 31 19:14:00.464179 2018] [core:error] [pid 5826] [client
> 172.23.90.75:50154] AH00027: No authentication done but request not allowed without authentication for /request. Authentication not
> configured?

It seems that the “require valid-user” directive is failing the requests since there is a check in Apache `mod_authz_core` when it is searching for a “user header”.

I want to “avoid authentication” in case my custom authentication is disabled and pass the requests through, How can I solve this issue?

<br>
**Note 1**: Worth to mention that when the custom authentication is enabled it works properly. It authenticates via tickets and the requests are handled accordingly.

<br>
**Note 2**: The custom authentication toggling had no issues with Apache 2.2. Thus, when I disable it, the requests could pass through.

The Apache 2.2 `httpd.conf` looks like the following (old configuration):

    <Directory />
    Order Deny,Allow
        Deny from all
        Options FollowSymLinks
        AllowOverride None
    Require valid-user 
        AuthType Digest 
        AuthName Customauth 
    </Directory>

    <Location "/">
    Require valid-user 
        AuthType Digest 
        AuthName Customauth
    </Location>