Re: authentication, 407 / 403

From: Henrik Nordstrom <>
Date: Thu, 05 Jul 2001 17:25:58 +0200

Robert Collins wrote:

> If a non-proxy_auth acl check fails.
> ie the username isn't allowed to access the site. With NTLM IE will not
> allow the user to override the credentials when a 403 is returned. You can't
> go "forget the username, I'm a on-site support staff member".
> However IE will allow you to manually enter credentials when it's given a
> 407.

And? Neither will any other browser using Basic authentication. So I
fail to se how NTLM come into the picture here.

With the current http_access auth design, simply write your denying
http_access lines to have a proxy_auth ACL last if you want your users
to reauthenticate, some other ACL last if you want your users to be
denied without an option to reauthenticate.

Sure, when using NTLM the user has less control of who he gets logged in
as, but that is another issue I'd say. I don't favor having http_access
behave differently based on the auth scheme. The concepts are the same,
and so are the problems. Only difference is the scale (having to close
down the browser, vs having to log out completely and log in as some
other user).

Received on Thu Jul 05 2001 - 10:34:07 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:05 MST