You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ruediger Pluem <rp...@apache.org> on 2010/06/21 08:23:09 UTC
Re: svn commit: r956387 - in /httpd/httpd/trunk: CHANGES STATUS modules/aaa/mod_authz_core.c
server/request.c
On 06/20/2010 09:15 PM, sf@apache.org wrote:
> Author: sf
> Date: Sun Jun 20 19:15:01 2010
> New Revision: 956387
>
> URL: http://svn.apache.org/viewvc?rev=956387&view=rev
> Log:
> Fix authorization by user or IP/ENV/...
> Note ap_note_auth_failure() breakage in STATUS
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/STATUS
> httpd/httpd/trunk/modules/aaa/mod_authz_core.c
> httpd/httpd/trunk/server/request.c
>
> Modified: httpd/httpd/trunk/server/request.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=956387&r1=956386&r2=956387&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/server/request.c (original)
> +++ httpd/httpd/trunk/server/request.c Sun Jun 20 19:15:01 2010
> @@ -201,6 +201,7 @@ AP_DECLARE(int) ap_process_request_inter
> r->ap_auth_type = r->main->ap_auth_type;
> }
> else {
> + char *failed_user = NULL;
> switch (ap_satisfies(r)) {
> case SATISFY_ALL:
> case SATISFY_NOSPEC:
> @@ -209,10 +210,21 @@ AP_DECLARE(int) ap_process_request_inter
> }
>
> if ((access_status = ap_run_check_user_id(r)) != OK) {
> - return decl_die(access_status, "check user", r);
> + if (access_status == HTTP_UNAUTHORIZED) {
> + failed_user = r->user;
> + r->user = NULL;
Question: Is this an API change? I mean can authn modules be expected to handle r->user == NULL?
Regards
RĂ¼diger
Re: svn commit: r956387 - in /httpd/httpd/trunk: CHANGES STATUS modules/aaa/mod_authz_core.c server/request.c
Posted by Stefan Fritsch <sf...@sfritsch.de>.
On Monday 21 June 2010, Ruediger Pluem wrote:
> On 06/20/2010 09:15 PM, sf@apache.org wrote:
> > Author: sf
> > Date: Sun Jun 20 19:15:01 2010
> > New Revision: 956387
> >
> > URL: http://svn.apache.org/viewvc?rev=956387&view=rev
> > Log:
> > Fix authorization by user or IP/ENV/...
> > Note ap_note_auth_failure() breakage in STATUS
> >
> > Modified:
> > httpd/httpd/trunk/CHANGES
> > httpd/httpd/trunk/STATUS
> > httpd/httpd/trunk/modules/aaa/mod_authz_core.c
> > httpd/httpd/trunk/server/request.c
> >
> > Modified: httpd/httpd/trunk/server/request.c
> > URL:
> > http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?
> > rev=956387&r1=956386&r2=956387&view=diff
> > ================================================================
> > ============== --- httpd/httpd/trunk/server/request.c (original)
> > +++ httpd/httpd/trunk/server/request.c Sun Jun 20 19:15:01 2010
> > @@ -201,6 +201,7 @@ AP_DECLARE(int) ap_process_request_inter
> >
> > r->ap_auth_type = r->main->ap_auth_type;
> >
> > }
> > else {
> >
> > + char *failed_user = NULL;
> >
> > switch (ap_satisfies(r)) {
> > case SATISFY_ALL:
> >
> > case SATISFY_NOSPEC:
> > @@ -209,10 +210,21 @@ AP_DECLARE(int) ap_process_request_inter
> >
> > }
> >
> > if ((access_status = ap_run_check_user_id(r)) != OK)
> > {
> >
> > - return decl_die(access_status, "check user", r);
> > + if (access_status == HTTP_UNAUTHORIZED) {
> > + failed_user = r->user;
> > + r->user = NULL;
>
> Question: Is this an API change? I mean can authn modules be
> expected to handle r->user == NULL?
The standard modules all handle it, albeit with a somewhat noisy error
log message. But in fact I have overlooked the fact that it is still
possible to have authz modules use the 2.2.x-style hooks instead of
the new provider interface. Therefore this change should at least be
documented on the API changes page.
In any case the change needs some more testing. It's possible that
there are some problems because the mod_auth_* may set err_headers_out
even if it later turns out that no authentication is needed. Maybe the
change to err_headers_out needs to be undone in that case.
Cheers,
Stefan