Project

General

Profile

Feature #2906

Lighttpd responds with 400 not 401

Added by gcleary 2 months ago. Updated about 2 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_auth
Target version:
Start date:
2018-09-05
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

Hi

We have replaced an older embedded web server with lighttpd, however the following case breaks compatibility with a third party system.

lighttpd responds with 400: Bad Request if the request requires Digest Auth but the client supplies Basic Auth. Then client does gives-up and does not try Digest Authentication!

The client seems to rely on 401: Unauthorized otherwise, it does not retry with alternative Auth.

Would you consider modifying this behavior, perhaps with the supplied patch?

0002-401-Unauthorized.patch (773 Bytes) 0002-401-Unauthorized.patch gcleary, 2018-09-05 14:12

Associated revisions

Revision 6b887f35 (diff)
Added by gstrauss about 2 months ago

[mod_auth] send 401 for mismatch HTTP auth scheme (fixes #2906)

x-ref:
"Lighttpd responds with 400 not 401"
https://redmine.lighttpd.net/issues/2906

History

#1

Updated by gstrauss 2 months ago

  • Tracker changed from Bug to Feature
  • Status changed from New to Invalid

The title of this issue is poor, and your feature request is a feature request, and not a bug.

Changing this behavior in lighttpd may lead to infinite loops if a bad client keeps retrying with a bad request.

Your patch is for your (differently) bad client, which is sending the wrong auth and then not handling sending a request without any (incorrectly guessed) auth in order to receive a 401 Unauthorized response. lighttpd will send 401 Unauthorized when client does not provide auth and auth has been configured as being required.

#2

Updated by gstrauss 2 months ago

  • Status changed from Invalid to Patch Pending
  • Target version changed from 1.4.x to 1.4.51

While clients should not be requesting an incorrect auth scheme, sending a 401 Unauthorized should tell the client the auth is not sufficient. According to RFC 7235, a client should not keep sending the same Authorization header in the face of 401 Unauthorized.

#3

Updated by gstrauss about 2 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom