Re: authentication, 407 / 403

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 05 Jul 2001 12:31:37 +0200

Chemolli Francesco (USI) wrote:

> It is a different variation of a problem I had in the reverse, when I wanted
> non-authenticated users to get a 407 instead of 403 (there is an
> undocumented
> -DDEFINE_KINKIES_407_HACK in squid-ntlm now to accomodate my needs).

Expand please. The user should get 407 in most events related to
authentication I think.

Reminds me of an old ACL hack I did, changing the semantics of when to
request user credentials. Instead of having them requested by the
proxy_auth ACL, I had them requested if the request was denied and a
proxy_auth ACL had been touched.

Worked quite nicely, making proxy_auth behave more like the other ACL's
in the sense that if the user isn't logged in then the ACL does not
match. However, the change was never pushed forward as it makes it even
harder to configure http_access security properly..

Example of configurations where it is useful:

acl special_users proxy_auth user1 user2 user3
http_access special_sites special.example.com

http_access allow special_users special_sites
http_access deny special_sites
http_access allow auth

causes any other user who try to access special_sites to be requested
for new credentials..

--
Henrik
Received on Thu Jul 05 2001 - 04:33:29 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:05 MST