Add a way to propagate authenticator return code to 401 action

[adambadura]

Is it possible to somehow propagate authenticator return code to the action defined by directive

ErrorDocument 401 <action>

From my current findings it seems that the only way is by parsing Apache logs. But it doesn't seem a nice solution.

In case if this would end to be the only solution what should we be looking for? In our scenario we can put any arbitrary log from the authenticator program (either by outputting it or by calling syslog). But what to put there to ensure that 401 action will know which particular log to use? Requested URL itself doesn't seem enough. If there are multiple requests to the same URL then it could happen that more than one log will be made before 401 action reaches point of log parsing. So what else?

[adambadura]

I ended doing custom modification to mod_auth_external. I'm not sharing it here (although if someone insists I could) because we are using very old version 2.2.11. Core idea is doable just the same in current version but code change patch would not apply cleanly.

The idea is to use standard output from the authorization program. Wiki on Google Code mentions that standard error output from the authorization program is redirected to Apache logs. It says nothing about standard output. Yet the code redirects both to Apache logs.

So I made a pipe from authorization program standard output to the mod_auth_external. Once the authorization program returns mod_auth_external parses contents of that pipe as if it were HTTP headers. And then sets corresponding headers in request_rec received from Apache. I chose error output headers to be sure that they will be send regardless of whether authorization succeeded or failed. (It must be the authorization program that either outputs the headers or not if it depends on authorization result.)

This is simple yet flexible solution since it puts almost no logic in mod_auth_external. mod_auth_external only forwards whatever it gets from the authorization program.

We still have a problem with double authentication. For some reasons for one HTTP request Apache makes two authentication attempts. And if first attempt is failed then second attempt is blocked entirely due to a short (1s) temporary lock on the account (security reasons). It seems that output headers are send from that second attempt and so are incorrect. But I think this is caused by issue in our configuration rather than mod_auth_external interaction with Apache.

[wildone]

so why not just do a pull request for what you have done?

[adambadura]

@wildone Good point. I will try to share it.