apache basic auth require group not throing forbidden

Question

i have a basic auth setuped with user and groups

AuthType Basic
AuthName "GSD Dev Area"
AuthUserFile /coding/conf/passwords/gsdesign/htpasswd
AuthGroupFile /coding/conf/passwords/gsdesign/groups    
Require valid-user

and now i want to protect a folder with acces only for a group

require group myGroup

and it works but there is one problem. If i dont gave access to that folder i get the login window again, and i would like to through forbidden. How can i do this.

Thanks a lot.

Later Edit I am already logged in with a valid username, but when i access an area that has a require group that i am not part of i want to get a auth denied instead of the login box.

score 1 · Answer 1 · answered Jun 27 '09 at 23:14

Not sure I understand the question, but I think you are saying when you give an invalid username/password combination, the browser pops up the window again instead of saying "Access denied". This is a feature of the browser -- it will prompt you for the credentials until you either get them right, or until you click cancel (at which point you will indeed get the access denied page). As far as I know, the only reliable way to change this is to do the authentication yourself instead of using AuthType Basic.

By the way, never, never use AuthType Basic to protect anything you care about unless your page is served over https. AuthType Basic sends the credentials in plaintext so you need the SSL layer to encrypt it for you.

i have added some more clarifications – Gabriel Solomon Jun 30 '09 at 12:05 — Gabriel Solomon, Jun 30 '09 at 12:05

score 1 · Accepted Answer · answered Jun 28 '09 at 00:10

It could well be possible to do this, but it would require you to write a custom handler for Apache. You could write this is C, Perl or Python or any of the other bindings for the Apache handler API.

The standard behaviour of HTTP authentication is to return a 401 Authentication Required response for both requests without any authentication information and for incorrect details. A browser will present a login dialog when ever it gets a 401 response. You would have to respond to requests without authentication information with a 401 Authentation Required response and any incorrect authentication with a 403 Forbidden response. This should solve your problem.

apache basic auth require group not throing forbidden

2 Answers2