If the request does not have the Proxy-Authorization field set to Basic authorization or a valid username/password, then the plugin sends the 407 Proxy authorization required status code back to the client. The client will then prompt the user for a username and password, and then resend the request.

In the handle_dns routine, the following lines handle the authorization error case:

done:
     TSHttpTxnHookAdd (txnp, TS_HTTP_SEND_RESPONSE_HDR_HOOK, contp);
     TSHttpTxnReenable (txnp, TS_EVENT_HTTP_ERROR);

If handle_dns does not find the Proxy-Authorization field set to Basic authorization or a valid username/password, then it adds a SEND_RESPONSE_HDR_HOOK to the transaction being processed. This means that Traffic Server will call the plugin back when sending the client response. handle_dns reenables the transaction with TS_EVENT_HTTP_ERROR, which means that the plugin wants Traffic Server to terminate the transaction.

When Traffic Server terminates the transaction, it sends the client an error message. Because of the SEND_RESPONSE_HDR_HOOK, Traffic Server calls the plugin back. The auth-plugin routine calls handle_response to send the client a 407 status code. When the client resends the request with the Proxy-Authorization field, a new transaction begins.

handle_dns calls base64_decode to decode the username and password; handle_dns also calls authorized to validate the username and password. In this plugin, sample NT code is provided for password validation. UNIX programmers can supply their own validation mechanism.