Project

General

Profile

Actions

Feature #2906

closed

Lighttpd responds with 400 not 401

Added by gcleary about 6 years ago. Updated about 6 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_auth
Target version:
ASK QUESTIONS IN Forums:

Description

Hi

We have replaced an older embedded web server with lighttpd, however the following case breaks compatibility with a third party system.

lighttpd responds with 400: Bad Request if the request requires Digest Auth but the client supplies Basic Auth. Then client does gives-up and does not try Digest Authentication!

The client seems to rely on 401: Unauthorized otherwise, it does not retry with alternative Auth.

Would you consider modifying this behavior, perhaps with the supplied patch?


Files

0002-401-Unauthorized.patch (773 Bytes) 0002-401-Unauthorized.patch gcleary, 2018-09-05 14:12
Actions #1

Updated by gstrauss about 6 years ago

  • Tracker changed from Bug to Feature
  • Status changed from New to Invalid

The title of this issue is poor, and your feature request is a feature request, and not a bug.

Changing this behavior in lighttpd may lead to infinite loops if a bad client keeps retrying with a bad request.

Your patch is for your (differently) bad client, which is sending the wrong auth and then not handling sending a request without any (incorrectly guessed) auth in order to receive a 401 Unauthorized response. lighttpd will send 401 Unauthorized when client does not provide auth and auth has been configured as being required.

Actions #2

Updated by gstrauss about 6 years ago

  • Status changed from Invalid to Patch Pending
  • Target version changed from 1.4.x to 1.4.51

While clients should not be requesting an incorrect auth scheme, sending a 401 Unauthorized should tell the client the auth is not sufficient. According to RFC 7235, a client should not keep sending the same Authorization header in the face of 401 Unauthorized.

Actions #3

Updated by gstrauss about 6 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions

Also available in: Atom