Authentication error or maybe it isn't? - no user/password was provided
mdounin at mdounin.ru
Mon Oct 21 11:53:46 UTC 2013
On Sun, Oct 20, 2013 at 05:17:37PM -0400, B.R. wrote:
> It's something a lot of people are bumping on.
> 401 HTTP covers both failed and missing authentication but isn't possible
> for Nginx to differentiate those states and thus only generate an error
> message on a failed (ie not empty credentials, either user or password
> containing something) attempt?
> That would make the error log more efficient as parsing it would provide
> more directly failed attempt to access a particular resource.
> Is it the standard way of doing things or is it your own?
> Are there some use cases or reasons against differentiating 401 answers?
The difference is already here.
The message "no user/password was provided for basic
authentication", as in original message, means exactly that: there
are no credentials provided.
On failed authentication, the "user ...: password mismatch"
message is logged. On unknown user, the "user ... was not
found in ..." message is logged.
It might make sense to downgrade the "no user/password ..."
message severity. Not sure though.
More information about the nginx