Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

no longer override Apache's default 401 page text #17

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

mgkuhn
Copy link
Contributor

@mgkuhn mgkuhn commented May 24, 2017

Apache lacks a proper core API for modules to override the default
text, so this was a fragile hack. Instead, as suggested in issue #16, advise users to use

AuthzSendForbiddenOnFailure On

such that authorization failure is reported via the more appropriate
403 status code and page. This will make future breakage such as issue #11
less likely whenever Apache next changes their ErrorDocument data structures.

Note that AuthzSendForbiddenOnFailure was only introduced in Apache 2.3.11,
so Apache 2.2 users may prefer not to apply this patch.

Apache lacks a proper core API for modules to override the default
text, so this was a fragile hack. Instead, advise users to use

  AuthzSendForbiddenOnFailure On

such that authorization failure is reported via the more appropriate
403 status code and page. This will make future breakage such as issue cambridgeuniversity#11
less likely whenever Apache next changes their ErrorDocument data structures.

Note that AuthzSendForbiddenOnFailure was only introduced in Apache 2.3.11,
so Apache 2.2 users may prefer not to apply it.
@jw35
Copy link

jw35 commented May 31, 2017

Given that AuthzSendForbiddenOnFailure is only available in Apache 2.4 and that 2.2 is still in use and just about supported by Apache I think it would be inappropriate to merge this change at the moment.

Further, it has the downside that users will receive the default confusing Apache message unless administrators read the documentation and take action -- not things that always happen.

@mgkuhn mgkuhn mentioned this pull request Jul 10, 2020
@mgkuhn
Copy link
Contributor Author

mgkuhn commented Jul 10, 2020

The Apache HTTP Server Project discontinued all development and patch review of the 2.2.x series of releases on 2018-01-01. Therefore I suggest that future releases of mod_ucam_webauth no longer need to support any Apache versions prior to 2.4.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants