Apache basic auth seems to disable other module

Question

I have an Apache 2.2 (behind a load balancer) with an additional third party module (OpenAM web agent) that is loaded via LoadModule directive. This module checks every request if it is authorized or not. The whole setup is working and in the log of the third party module I can see that the checks are done accordingly for each request found in the access-log of the apache.

The situation changes if I activate basic auth by putting the following directives into the VirtualHost part of the Apache configuration:

<Directory /path/to/docroot>
    Options -MultiViews
    AllowOverride All
    Order deny,allow
    Deny from all
    Allow from 10.0.0.0/8
    Allow from <other ips>
    AuthType Basic
    AuthBasicProvider file
    AuthName "AuthZone"
    AuthUserFile /path/to/htpasswd
    Require valid-user
    Satisfy Any
</Directory>

Now the basic auth works but not the checks by the third party module. It seems to be that every request that was subject to the basic auth processing did not make it to the third party module. In the logs of the latter one I can only see requests that match the "Allow"s and thus did not pass the basic auth processing.

I can see all the requests in the access-log and I can see that Apache responds with Code 200 for the "missing" requests.

What might be the reason for this? The error log does not contain any useful information.

Answer 1

While I can't really say for the third party module and how it's hooking in to the authorization flow, I'd wager that the cause is Satisfy Any.

It allows for the rest of the authorization steps to be skipped when one method of authorization matches - this sounds like what you're seeing.