• OK - in which case authz has been succesful and apache will continue on to serve the requested file
• DECLINED - which says: well, I don't know, can somebody else please figure it out (ie run the other authz handlers)
• HTTP_UNAUTHORIZED - which says, NO. But the browser responds to that with a basic authentication popup, which isn't what he wants

Short of returning a redirect to a login form, I couldn't figure out how you would override the browser's standard response to a 401 error status.

Thanks

Clint

Seriously, you can do whatever you like. This is basic mod_perl functionality. Maybe it would help you to look at a complete example. Check out Apache::AuthCookie. It displays a form by defining a custom response for 401 errors. There are other ways to do it, like a redirect.

OK, after a bit of research (RFC 2617 - HTTP Authentication), I've figured it out.

The browser only pops up the basic authentication dialog if it receives an HTTP_UNAUTHORISED(401) return status and a WWW-Authenticate header.

So instead, you can do what Apache::Cookie does:

• Unauthenticated user:

  return an HTTP_FORBIDDEN (403) status and use $r->custom_response() to send them the HTML of your login form

• Authenticated user:

  return OK, and apache will send them the file

Clint