You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modules-dev@httpd.apache.org by Christoph Gröver <gr...@sitepark.com> on 2013/05/30 10:56:27 UTC
Authentication/Authorization module vs. Basic Authentication
Dear mailing list,
I have written a rather complex module which deals with authentication
and authorization among other things. It checks for example for the
existence of a valid kerberos ticket, it checks a mysql database for
information which user is allowed to see which URL of a website. Later
it filters out unwanted content or removes part of the content
delivered to the user based on the id of the user.
I didn't want the module to be dependent on any "require ..." line and
I found out these lines are essential for a module which uses the
auth_checker hook. So I use some of the other hooks.
The main authentication and authorization parts are done in
ap_hook_access_checker.
Below there's the part of the code which registers functions for the
hooks.
The module was first created for Apache 1.3, transferred to Apache 2.0
and is now used with Apache 2.2. But lately there seem to be some
compatibility problems with Basic Authentication.
In the past it was possible to use Basic Authentication and this module
at the same time. Now this gives us some Error 401 although we have a
"satisfy any" and an allowed IP address configured.
After the code in the acess_checker phase is run and returns a
HTTP_MOVED_TEMPORARILY the user is prompted with a password/login
popup. This is not coming from my code. I guess it's coming from the
module that implements Basic Authentication.
So while I cannot give you an example snippet of code, because it's a
complex module which I cannot boil down to a few lines of code, I hope
you still have an idea what might be going wrong or in which direction
I should analyse this.
Any help is greatly appreciated. Thank you very much.
======================================================================
static void SumpfRegisterHooks(apr_pool_t *pool)
{
static const char * const Succ[] = { "mod_php.c", NULL };
// This is the hook that is called initially at the server start
// after the configuration is read
ap_hook_post_config(SumpfInit, NULL, NULL, APR_HOOK_MIDDLE);
// or APR_HOOK_LAST ?
// This is the hook that is called after reading each request
ap_hook_post_read_request(SumpfStartPerRequest, NULL, NULL,
APR_HOOK_MIDDLE); // or APR_HOOK_LAST ?
// We cannot use the auth_checker hook, cause it depends on
// 'require valid-user' in the configuration
ap_hook_access_checker(SumpfAuthChecker, NULL, NULL, APR_HOOK_FIRST);
//
ap_hook_check_user_id(SumpfCheckUserID, NULL, NULL, APR_HOOK_MIDDLE);
// auth_checker hook will only be used if we have a 'require ...'
option // if we use the require option the basic auth module can't
use it !!! ap_hook_auth_checker(SumpfCheckAuthorization, NULL, NULL,
APR_HOOK_FIRST);
// For Kerberos we cannot run in auth_checker phase because
mod_auth_kerb // prevents this by returning OK, which means no other
module is run here // So we run as first in fixup hook
ap_hook_fixups(SumpfKerberosChecker, NULL, NULL, APR_HOOK_FIRST);
// For PHP a normal hook_handler doesn't do anything,
// presumably because mod_php ends with return(OK)
// We need the hook_fixups !!
ap_hook_fixups(SumpfHandleSpecialRequests, NULL, NULL,
APR_HOOK_MIDDLE);
// Not needed anymore 15.12.2006
// ap_hook_handler(SumpfSpecialURLs, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_insert_filter(SumpfInsertFilter, Succ, NULL, APR_HOOK_MIDDLE);
ap_register_output_filter(SumpfFilterName, sumpf_filter, NULL,
AP_FTYPE_RESOURCE); }
=======================================================================
--
Sitepark Gesellschaft für Informationsmanagement mbH
Rothenburg 14-16, 48143 Münster
Telefon: +49 251 482655-0, Telefax: +49 251 482655-55
http://www.sitepark.com
http://www.facebook.com/sitepark
Geschäftsführer: Thorsten Liebold
Amtsgericht Münster, HRB 5017
Re: Authentication/Authorization module vs. Basic Authentication
Posted by Christoph Gröver <gr...@sitepark.com>.
Hello Nick,
> You'd want the err_headers_out to set that for an error return.
OK. Good point. Changed that.
>
> > Instead of sending back to the client a 302 or a 301 the next thing
> > that happens the apache sends back a 401.
>
> Have you traced and/or stepped through execution of your own code?
I have a lot of debugging code in my module. The last thing that my
module does in the access checking phase is returning
HTTP_MOVED_TEMPORARILY (this is logged to the errorlog).
For debugging purposes I have a short code segment hooked up into
the phases check_user_id and auth_checker.
Those are not run.
So. This leads to my conclusion that some other module must be doing
something in the access checking phase.
>
> Could it be that your errordocument itself authenticates the client?
The problem arises when the client sends POST data to the webserver.
The client sends authentication information and my module does a
redirection to either a failed login page or a successful welcome page.
Without any "Basic Authentication" / "require ...." lines in the
configuration this works.
If I add a "require valid-user" it doesn't work anymore.
>
> > I tried to find out with "LogLevel debug".
> > But this actually leads to nearly no extra lines in the log files.
>
> My usual tool in that situation is gdb.
>
I guess the other modules are not logging much if not compile for
verbosity?
If I'd use gdb I would have to compile every module with debugging
support, I guess?
Thank you for your answer,
Greetings
--
Sitepark Gesellschaft für Informationsmanagement mbH
Rothenburg 14-16, 48143 Münster
Telefon: +49 251 482655-0, Telefax: +49 251 482655-55
http://www.sitepark.com
http://www.facebook.com/sitepark
Geschäftsführer: Thorsten Liebold
Amtsgericht Münster, HRB 5017
Re: Authentication/Authorization module vs. Basic Authentication
Posted by Christoph Gröver <gr...@sitepark.com>.
Hello Niq, Hello List,
I have been able to solve this issue. Well, I should say, I have found
a workaround.
I suspected mod_auth_basic to be doing something wrong, so I had a close
look at the sourcecode.
It is only run in the check_user_id phase.
I tested whether the problem still exists if my module is hooked in at
the beginning of the check_user_id phase and returns with status DONE,
thus preventing mod_auth_basic to be run at all.
The problem is immediately gone, so I'm sure this module is the cause.
But I haven't found out what exactly goes wrong.
Doesn't matter. This way it works.
Thank youfor your time.
Greetings
--
Christoph Gröver
Re: Authentication/Authorization module vs. Basic Authentication
Posted by Nick Kew <ni...@apache.org>.
On 17 Jun 2013, at 10:24, Christoph Gröver wrote:
>
> Hello list,
>
> I thought I'd let you know, what I found out so far.
> Perhaps someone will have an idea what is going on.
>
> In the access checking phase started by this line
>
> ap_hook_access_checker(SumpfAuthChecker, NULL, NULL, APR_HOOK_FIRST);
>
> I return with a "return(HTTP_MOVED_TEMPORARILY)".
> I have set up the new location to go to by setting
> the apropriate headers with
> apr_table_set( r->headers_out, "Location", newlocation );
You'd want the err_headers_out to set that for an error return.
> Instead of sending back to the client a 302 or a 301 the next thing
> that happens the apache sends back a 401.
Have you traced and/or stepped through execution of your own code?
Could it be that your errordocument itself authenticates the client?
> I tried to find out with "LogLevel debug".
> But this actually leads to nearly no extra lines in the log files.
My usual tool in that situation is gdb.
--
Nick Kew
Re: Authentication/Authorization module vs. Basic Authentication
Posted by Christoph Gröver <gr...@sitepark.com>.
Hello list,
I thought I'd let you know, what I found out so far.
Perhaps someone will have an idea what is going on.
In the access checking phase started by this line
ap_hook_access_checker(SumpfAuthChecker, NULL, NULL, APR_HOOK_FIRST);
I return with a "return(HTTP_MOVED_TEMPORARILY)".
I have set up the new location to go to by setting
the apropriate headers with
apr_table_set( r->headers_out, "Location", newlocation );
Instead of sending back to the client a 302 or a 301 the next thing
that happens the apache sends back a 401.
(Found out with ngrep).
So this results in prompting the user for a password.
It seems the "Basic Authentication" code or anything else it doing
something after I finished in the access checking phase.
I tried to find out with "LogLevel debug".
But this actually leads to nearly no extra lines in the logfiles.
I have configured it in the global configuration and in the VirtualHost
section.
Well for the moment I'm stuck.
Hope somebody has an idea ....
Greetings
--
Christoph Gröver