Return 403 on access failures even with templates
Description
Environment
Activity
Scott Cantor December 17, 2010 at 2:39 PM
Closing after release.
Scott Cantor January 6, 2010 at 3:53 PM
Scott Cantor January 6, 2010 at 3:39 PM
Unfortunately it does to some degree on some servers. Apache doesn't let you control the body of a 403 response except by using ErrorDocument. If I send back 403, the template you use will be ignored. If I send back 500, you can use the template, but won't get a 403.
My feeling was that it's best to leave it at 500 and allow templates to work portably, and if people want it to be a 403, then you use the web server. What I broke was the ability to get it to divert to the 403 option by leaving out the access property, and I'll fix that.
bajnokk@niif.hu January 6, 2010 at 11:07 AM
Yes, I know this, although being able to distingush between Shib errors and other webserver errors could be handy in some (troubleshooting) cases. However, IMO using (Shib) error templates should not affect the returned status code.
Scott Cantor January 6, 2010 at 10:47 AM
Note that your error response with the 403 is whatever you want it to be, the web server will let you customize that easily. That's why I deemphasized the original template, I just accidentally reintroduced it with the defaulting change.
On access errors, the template accessErrors.html is defaulted. This results in a fancy error message with an HTTP 500 status code.
If (as suggested by you on shib-users today) one specifies a non-existent template, then the result is a plain Apache 403 message.
The preferable would be to return 403 on access control failures even with templates being used.