Misleading HTTP-Behaviour: 401 instead of 403

[2ilvan]

Hello Guys!

I want to use your NTLM module to authorize users which are part of a certain group to access several resources. To accomplish that, somewhere in the Apache configuration I wrote a line which looks something like that:

require sspi-group "myDomain\myGroup"

That setting works pretty well if I am part of myGroup. However, if I am not in that group, the browser (FF 78) asks for my login credentials. If I provide them correctly, the browser keeps asking for 2 or 3 times. That is weird because I expected a 403 Forbidden page like MDN says instead of another 401. Additionally, I think the server should only send a WWW-Authenticate header in case of a failed authentication but not in case of a missing authorization.

I tried to figure out myself what causes that problem. In your source code I found a function called common_deny_actions, which is called in every authorization handler (e.g. sspi_group_check_authorization). At its end, it calls note_sspi_auth_failure. In my opinion, that is a mistake, because note_sspi_auth_failure seems to initiate another authorization flow which means it will send another 401 instead of 403.

Unfortunately I am neither an Apache nor a HTTP expert, so I am not sure about all that stuff. To me, that behaviour seems to break the HTTP specification and will confuse users, because they cannot recognize if they provided wrong login credentials or if they are not allowed to access a specific resource. If you agree with my opinion, I would appreciate if you could fix that.

Thanks!

[neongrau]

That is an explicit feature we needed so if you mistyped credentials you get a chance to try again.
The older mod_auth_sspi just slammed shut with no chance of trying again but to quit the browser and restart it for another try. If that is what the documentation says then it doesn't make much sense for usability.

[2ilvan]

One must distinguish authentication from authorization. Authentication means, that a user proves to an application that (s)he is the one who (s)he pretends to be. As a proof, the user provides his credentials to the application and the application checks if they are right. Indeed, if the user mistyped them, it is good practice to ask him/her again and I totally like that feature!

However, if the user typed the credentials correctly and proved who (s)he is, the authorization takes place. Authorization means, that the application checks if an authenticated user is allowed to access the requested resource. With mod_authn_ntlm in my special case that means to check if the authenticated user belongs to myGroup. If that check fails because the user is not part of that group, it does not make sense to ask again for credentials, because the user will always be the same. So, (s)he will always provide the same credentials again and again without detecting that the credentials are not the problem. In my opinion that does not make sense for usability as well 😄

The better way would be to respond with 403 after a failed authorization.