You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ch...@apache.org on 2008/10/31 21:18:07 UTC
svn commit: r709553 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_authn_core.xml modules/aaa/mod_authn_core.c
Author: chrisd
Date: Fri Oct 31 13:18:07 2008
New Revision: 709553
URL: http://svn.apache.org/viewvc?rev=709553&view=rev
Log:
Add AuthType of None to support disabling authentication.
Prevent crash when provider alias created to provider which is not
yet registered.
Migrate remaining functionality of mod_authn_default to mod_authn_core.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml
httpd/httpd/trunk/modules/aaa/mod_authn_core.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=709553&r1=709552&r2=709553&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Oct 31 13:18:07 2008
@@ -2,6 +2,9 @@
Changes with Apache 2.3.0
[ When backported to 2.2.x, remove entry from this file ]
+ *) mod_authn_core: Add AuthType of None to support disabling
+ authentication. [Chris Darroch]
+
*) core: Allow <Limit> and <LimitExcept> directives to nest, and
constrain their use to conform with that of other access control
and authorization directives. [Chris Darroch]
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml?rev=709553&r1=709552&r2=709553&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml Fri Oct 31 13:18:07 2008
@@ -123,22 +123,24 @@
<seealso><a
href="../howto/auth.html">Authentication, Authorization, and
Access Control</a></seealso>
+<seealso><module>mod_authz_core</module></seealso>
</directivesynopsis>
<directivesynopsis>
<name>AuthType</name>
<description>Type of user authentication</description>
-<syntax>AuthType Basic|Digest</syntax>
+<syntax>AuthType None|Basic|Digest|Form</syntax>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<usage>
<p>This directive selects the type of user authentication for a
- directory. The authentication types available are
+ directory. The authentication types available are <code>None</code>,
<code>Basic</code> (implemented by
- <module>mod_auth_basic</module>) and <code>Digest</code>
- (implemented by <module>mod_auth_digest</module>).</p>
+ <module>mod_auth_basic</module>), <code>Digest</code>
+ (implemented by <module>mod_auth_digest</module>), and
+ <code>Form</code> (implemented by <module>mod_auth_form</module>).</p>
<p>To implement authentication, you must also use the <directive
module="mod_authn_core">AuthName</directive> and <directive
@@ -146,6 +148,40 @@
server must have an authentication-provider module such as
<module>mod_authn_file</module> and an authorization module such
as <module>mod_authz_user</module>.</p>
+
+ <p>The authentication type <code>None</code> disables authentication.
+ When authentication is enabled, it is normally inherited by each
+ subsequent <a href="../sections.html#mergin">configuration section</a>,
+ unless a different authentication type is specified. If no
+ authentication is desired for a subsection of an authenticated
+ section, the authentication type <code>None</code> may be used;
+ in the following example, clients may access the
+ <code>/www/docs/public</code> directory without authenticating:</p>
+
+ <example>
+ <Directory /www/docs>
+ <indent>
+ AuthType Basic<br />
+ AuthName Documents<br />
+ AuthBasicProvider file<br />
+ AuthUserFile /usr/local/apache/passwd/passwords<br />
+ Require valid-user
+ </indent>
+ </Directory><br />
+ <br />
+ <Directory /www/docs/public>
+ <indent>
+ AuthType None<br />
+ Require all granted
+ </indent>
+ </Directory>
+ </example>
+
+ <note>When disabling authentication, note that clients which have
+ already authenticated against another portion of the server's document
+ tree will typically continue to send authentication HTTP headers
+ or cookies with each request, regardless of whether the server
+ actually requires authentication for every resource.</note>
</usage>
<seealso><a href="../howto/auth.html">Authentication, Authorization,
Modified: httpd/httpd/trunk/modules/aaa/mod_authn_core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authn_core.c?rev=709553&r1=709552&r2=709553&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authn_core.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authn_core.c Fri Oct 31 13:18:07 2008
@@ -46,14 +46,15 @@
- Track down all of the references to r->ap_auth_type
and change them to ap_auth_type()
-- Remove ap_auth_type and ap_auth_name from the
- request_rec
+- Remove ap_auth_type and ap_auth_name from the
+ request_rec
*/
typedef struct {
- char *ap_auth_type;
- char *ap_auth_name;
+ const char *ap_auth_type;
+ int auth_type_set;
+ const char *ap_auth_name;
} authn_core_dir_conf;
typedef struct provider_alias_rec {
@@ -82,19 +83,22 @@
{
authn_core_dir_conf *base = (authn_core_dir_conf *)basev;
authn_core_dir_conf *new = (authn_core_dir_conf *)newv;
- authn_core_dir_conf *conf;
-
- /* Create this conf by duplicating the base, replacing elements
- * (or creating copies for merging) where new-> values exist.
- */
- conf = (authn_core_dir_conf *)apr_pmemdup(a, base, sizeof(authn_core_dir_conf));
+ authn_core_dir_conf *conf =
+ (authn_core_dir_conf *)apr_pcalloc(a, sizeof(authn_core_dir_conf));
- if (new->ap_auth_type) {
+ if (new->auth_type_set) {
conf->ap_auth_type = new->ap_auth_type;
+ conf->auth_type_set = 1;
+ }
+ else {
+ conf->ap_auth_type = base->ap_auth_type;
+ conf->auth_type_set = base->auth_type_set;
}
if (new->ap_auth_name) {
conf->ap_auth_name = new->ap_auth_name;
+ } else {
+ conf->ap_auth_name = base->ap_auth_name;
}
return (void*)conf;
@@ -189,11 +193,11 @@
static const char *authaliassection(cmd_parms *cmd, void *mconfig, const char *arg)
{
- int old_overrides = cmd->override;
const char *endp = ap_strrchr_c(arg, '>');
const char *args;
char *provider_alias;
char *provider_name;
+ int old_overrides = cmd->override;
const char *errmsg;
const authn_provider *provider = NULL;
ap_conf_vector_t *new_auth_config = ap_create_per_dir_config(cmd->pool);
@@ -228,7 +232,7 @@
}
if (strcasecmp(provider_name, provider_alias) == 0) {
- return apr_pstrcat(cmd->pool,
+ return apr_pstrcat(cmd->pool,
"The alias provider name must be different from the base provider name.", NULL);
}
@@ -237,20 +241,29 @@
AUTHN_PROVIDER_VERSION);
if (provider) {
return apr_pstrcat(cmd->pool, "The alias provider ", provider_alias,
- " has already be registered previously as either a base provider or an alias provider.",
+ " has already be registered previously as either a base provider or an alias provider.",
NULL);
}
/* walk the subsection configuration to get the per_dir config that we will
merge just before the real provider is called. */
- cmd->override = OR_ALL|ACCESS_CONF;
+ cmd->override = OR_AUTHCFG | ACCESS_CONF;
errmsg = ap_walk_config(cmd->directive->first_child, cmd, new_auth_config);
+ cmd->override = old_overrides;
if (!errmsg) {
provider_alias_rec *prvdraliasrec = apr_pcalloc(cmd->pool, sizeof(provider_alias_rec));
provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP, provider_name,
AUTHN_PROVIDER_VERSION);
+ if (!provider) {
+ /* by the time they use it, the provider should be loaded and
+ registered with us. */
+ return apr_psprintf(cmd->pool,
+ "Unknown Authn provider: %s",
+ provider_name);
+ }
+
/* Save off the new directory config along with the original provider name
and function pointer data */
prvdraliasrec->sec_auth = new_auth_config;
@@ -268,8 +281,6 @@
AP_AUTH_INTERNAL_PER_CONF);
}
- cmd->override = old_overrides;
-
return errmsg;
}
@@ -286,6 +297,16 @@
return NULL;
}
+static const char *set_authtype(cmd_parms *cmd, void *mconfig,
+ const char *word1)
+{
+ authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig;
+
+ aconfig->auth_type_set = 1;
+ aconfig->ap_auth_type = strcasecmp(word1, "None") ? word1 : NULL;
+
+ return NULL;
+}
static const char *authn_ap_auth_type(request_rec *r)
{
@@ -309,21 +330,41 @@
static const command_rec authn_cmds[] =
{
- AP_INIT_TAKE1("AuthType", ap_set_string_slot,
- (void*)APR_OFFSETOF(authn_core_dir_conf, ap_auth_type), OR_AUTHCFG,
- "An HTTP authorization type (e.g., \"Basic\")"),
+ AP_INIT_TAKE1("AuthType", set_authtype, NULL, OR_AUTHCFG,
+ "an HTTP authorization type (e.g., \"Basic\")"),
AP_INIT_TAKE1("AuthName", set_authname, NULL, OR_AUTHCFG,
- "The authentication realm (e.g. \"Members Only\")"),
+ "the authentication realm (e.g. \"Members Only\")"),
AP_INIT_RAW_ARGS("<AuthnProviderAlias", authaliassection, NULL, RSRC_CONF,
- "Container for authentication directives grouped under "
- "a provider alias"),
+ "container for grouping an authentication provider's "
+ "directives under a provider alias"),
{NULL}
};
+static int authenticate_no_user(request_rec *r)
+{
+ /* if there isn't an AuthType, then assume that no authentication
+ is required so return OK */
+ if (!ap_auth_type(r)) {
+ return OK;
+ }
+
+ /* there's an AuthType configured, but no authentication module
+ * loaded to support it
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
+ "AuthType %s configured without corresponding module",
+ ap_auth_type(r));
+
+ return HTTP_INTERNAL_SERVER_ERROR;
+}
+
static void register_hooks(apr_pool_t *p)
{
APR_REGISTER_OPTIONAL_FN(authn_ap_auth_type);
APR_REGISTER_OPTIONAL_FN(authn_ap_auth_name);
+
+ ap_hook_check_authn(authenticate_no_user, NULL, NULL, APR_HOOK_LAST,
+ AP_AUTH_INTERNAL_PER_CONF);
}
module AP_MODULE_DECLARE_DATA authn_core_module =
@@ -336,3 +377,4 @@
authn_cmds,
register_hooks /* register hooks */
};
+
Re: svn commit: r709553 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_authn_core.xml
modules/aaa/mod_authn_core.c
Posted by Chris Darroch <ch...@pearsoncmg.com>.
Ruediger Pluem wrote:
>> could you please split such changes into atomic commits? One issue - one
>> commit. You also committed docs changes you didn't mention in the log
>> message.
>>
>> I'm not sure if the crash fix shouldn't go into CHANGES.
>
> Plus it makes it really hard to read the diffs if you mix formating changes
> with functional changes. Please separate them.
Yes, my apologies for that. I confess I'd hoped to cut a couple of
corners because these files exist only in trunk, I wasn't planning any
backports, and there seemed to be such a remarkably low level of interest
in the trunk authn/z stuff. Still, I should have done a better job.
Chris.
--
GPG Key ID: 366A375B
GPG Key Fingerprint: 485E 5041 17E1 E2BB C263 E4DE C8E3 FA36 366A 375B
Re: svn commit: r709553 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_authn_core.xml
modules/aaa/mod_authn_core.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 10/31/2008 09:26 PM, André Malo wrote:
> * chrisd@apache.org wrote:
>
>> Author: chrisd
>> Date: Fri Oct 31 13:18:07 2008
>> New Revision: 709553
>>
>> URL: http://svn.apache.org/viewvc?rev=709553&view=rev
>> Log:
>> Add AuthType of None to support disabling authentication.
>> Prevent crash when provider alias created to provider which is not
>> yet registered.
>> Migrate remaining functionality of mod_authn_default to mod_authn_core.
>
> While this sounds nice...
> could you please split such changes into atomic commits? One issue - one
> commit. You also committed docs changes you didn't mention in the log
> message.
>
> I'm not sure if the crash fix shouldn't go into CHANGES.
Plus it makes it really hard to read the diffs if you mix formating changes
with functional changes. Please separate them.
Regards
Rüdiger
Re: svn commit: r709553 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_authn_core.xml modules/aaa/mod_authn_core.c
Posted by André Malo <nd...@perlig.de>.
* chrisd@apache.org wrote:
> Author: chrisd
> Date: Fri Oct 31 13:18:07 2008
> New Revision: 709553
>
> URL: http://svn.apache.org/viewvc?rev=709553&view=rev
> Log:
> Add AuthType of None to support disabling authentication.
> Prevent crash when provider alias created to provider which is not
> yet registered.
> Migrate remaining functionality of mod_authn_default to mod_authn_core.
While this sounds nice...
could you please split such changes into atomic commits? One issue - one
commit. You also committed docs changes you didn't mention in the log
message.
I'm not sure if the crash fix shouldn't go into CHANGES.
Thanks.
nd
--
>I have tried using ErrorDocument 401, but doesn't work.
^^^^^^^^^^^^^
Oh dear. What does it do - lounge around on the couch all day drinking
beer and watching TV? -- "Kash" und Alan J. Flavell in ciwsu