Is the custom 401 response still required?

[mgkuhn]

By default, when authorization fails (e.g., due to a Require user ... directive blocking access), Apache replies with status 401 and says:

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

The mention of wrong passwords is misleading with Raven, because if the Raven password entered had been wrong, the WLS/IdP would have said so already to the user. Therefore, the mod_ucam_webauth module overrides Apache's default 401 message with:

Error - authorization required

Access to the web page or other resource you are trying to obtain is restricted. The identity that you have established (mgk25) is not currently allowed access. Please contact the administrator of the web server that provides the page (webmaster@localhost) for further information.

However, Apache lacks a proper API for mod_ucam_webauth to override this message, so the current implementation of this override remains a fragile hack, as became evident with issue #11.

Since Apache 2.3.11, there has been a much neater solution: the AuthzSendForbiddenOnFailure directive. AuthzSendForbiddenOnFailure On causes Apache to report an authorization failure with status 403 instead of 401, resulting in the perfectly appropriate (if a bit brief) default message

Forbidden

You don't have permission to access ... on this server.

Therefore, I propose to remove from mod_ucam_webauth all the mechanics for overriding the 401 message, and instead advise users to set AuthzSendForbiddenOnFailure On along with AuthType Ucam-WebAuth. At their discretion, users may also want to add an ErrorDocument 403 ... directive to explain better the local authorization policy, e.g. whom to contact to get the desired permission.