You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@organic.com> on 1996/06/26 08:56:30 UTC
satisfy access control directive
I think we might want this in 1.2....
>From willday@rom.oit.gatech.edu Tue Jun 25 23:55:38 PDT 1996
Article: 15071 of comp.infosystems.www.servers.unix
Path: re.hotwired.com!news.sprintlink.net!new-news.sprintlink.net!newsfeed.internetmci.com!swrinde!cssun.mathcs.emory.edu!cc.gatech.edu!prism!not-for-mail
From: willday@rom.oit.gatech.edu (Will Day)
Newsgroups: comp.infosystems.www.servers.unix
Subject: Re: apache vs ncsa: authentication
Date: 25 Jun 1996 19:08:08 -0400
Organization: Georgia Institute of Technology, OIT Tech Support
Lines: 136
Message-ID: <4q...@rom.oit.gatech.edu>
References: <Dt...@serval.net.wsu.edu> <4q...@taco.cc.ncsu.edu> <31...@mpn.cp.philips.com>
Reply-To: willday@rom.oit.gatech.edu (Will Day)
NNTP-Posting-Host: rom.oit.gatech.edu
X-Newsreader: Trn version 3.6 (20 Nov 1994) NNTP
A short time ago, at a computer terminal far, far, away, Fiona Cox wrote:
>Except that Apache does not support authentication "satisfy any" - as
>NSCA does.
>This shortcoming is restricting - ie when you want to use a combination
>of userid/password AND domain authentication.
>
>Has anyone else a requirement for Apache to include "satisfy any" ?????
This just came up recently with a server I help admin, where we wanted
to allow free access to on-campus hosts, but password-restrict to
off-campus hosts. I was really surprised to find that Apache didn't
support that feature, and didn't appear to be on the feature-list for
v1.1. Although in the end I think we've decided to go with
the NCSA server instead, since it supports the feature natively, I figured
it shouldn't be that hard to implement in Apache. I managed to hack
it into the source for 1.0.5. The diffs aren't too big, so I'm
including them below my .sig (compile with -DENABLE_SATISFY, or else
take out the #ifdef's). As always, use at your own risk. :)
______________________________________________________________________________
Will Day <PGP mail preferred> OIT, Georgia Tech, Atlanta 30332-0715
willday@rom.oit.gatech.edu http://rom.oit.gatech.edu/~willday/
=-> Opinions expressed are mine alone and do not reflect OIT policy <-=
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
Benjamin Franklin, Pennsylvania Assembly, Nov. 11, 1755
______________________________________________________________________________
*** mod_access.c.orig Sat Feb 17 03:32:08 1996
--- mod_access.c Tue Jun 25 18:54:06 1996
***************
*** 77,82 ****
--- 77,85 ----
int order[METHODS];
array_header *allows;
array_header *denys;
+ #ifdef ENABLE_SATISFY
+ char *satisfy;
+ #endif /* ENABLE_SATISFY */
} access_dir_conf;
module access_module;
***************
*** 90,99 ****
--- 93,127 ----
for (i = 0; i < METHODS; ++i) conf->order[i] = DENY_THEN_ALLOW;
conf->allows = make_array (p, 1, sizeof (allowdeny));
conf->denys = make_array (p, 1, sizeof (allowdeny));
+ #ifdef ENABLE_SATISFY
+ conf->satisfy = NULL;
+ #endif /* ENABLE_SATISFY */
return (void *)conf;
}
+ #ifdef ENABLE_SATISFY
+ int satisfy_any (request_rec *r, int reset)
+ {
+ char *satisfy;
+ access_dir_conf *conf =
+ (access_dir_conf *)get_module_config(r->per_dir_config, &access_module);
+
+ if (!(satisfy = conf->satisfy))
+ return 0;
+
+ if (!strcasecmp(satisfy, "any")) {
+ if (reset) strcpy(satisfy, "all");
+ return 1;
+ }
+ else if (!strcasecmp(satisfy, "all"))
+ return 0;
+
+ log_error("Invalid satisfy value.", r->server);
+ return 0;
+ }
+ #endif /* ENABLE_SATISFY */
+
char *order (cmd_parms *cmd, void *dv, char *arg)
{
access_dir_conf *d = (access_dir_conf *)dv;
***************
*** 134,139 ****
--- 162,171 ----
"'from' followed by hostnames or IP-address wildcards" },
{ "deny", allow_cmd, NULL, OR_LIMIT, ITERATE2,
"'from' followed by hostnames or IP-address wildcards" },
+ #ifdef ENABLE_SATISFY
+ { "Satisfy", set_string_slot, (void*)XtOffsetOf(access_dir_conf, satisfy),
+ OR_AUTHCFG, TAKE1, NULL },
+ #endif /* ENABLE_SATISFY */
{NULL}
};
***************
*** 219,224 ****
--- 251,261 ----
}
if (ret == FORBIDDEN)
+ #ifdef ENABLE_SATISFY
+ if (satisfy_any(r, 1) && real_auth_type(r))
+ ret = OK;
+ else
+ #endif /* ENABLE_SATISFY */
log_reason ("Client denied by server configuration", r->filename, r);
return ret;
*** http_core.c.orig Sat Feb 17 03:35:30 1996
--- http_core.c Tue Jun 25 18:43:58 1996
***************
*** 186,194 ****
--- 186,209 ----
core_dir_config *conf =
(core_dir_config *)get_module_config(r->per_dir_config, &core_module);
+ #ifdef ENABLE_SATISFY
+ if (satisfy_any(r, 0))
+ return NULL;
+ else
+ #endif /* ENABLE_SATISFY */
return conf->auth_type;
}
+ #ifdef ENABLE_SATISFY
+ char *real_auth_type (request_rec *r)
+ {
+ core_dir_config *conf =
+ (core_dir_config *)get_module_config(r->per_dir_config, &core_module);
+
+ return conf->auth_type;
+ }
+ #endif /* ENABLE_SATISFY */
+
char *auth_name (request_rec *r)
{
core_dir_config *conf =
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com www.apache.org hyperreal.com http://www.organic.com/JOBS