You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@organic.com> on 1996/06/26 08:56:30 UTC

satisfy access control directive

I think we might want this in 1.2....

>From willday@rom.oit.gatech.edu Tue Jun 25 23:55:38 PDT 1996
Article: 15071 of comp.infosystems.www.servers.unix
Path: re.hotwired.com!news.sprintlink.net!new-news.sprintlink.net!newsfeed.internetmci.com!swrinde!cssun.mathcs.emory.edu!cc.gatech.edu!prism!not-for-mail
From: willday@rom.oit.gatech.edu (Will Day)
Newsgroups: comp.infosystems.www.servers.unix
Subject: Re: apache vs ncsa: authentication
Date: 25 Jun 1996 19:08:08 -0400
Organization: Georgia Institute of Technology, OIT Tech Support
Lines: 136
Message-ID: <4q...@rom.oit.gatech.edu>
References: <Dt...@serval.net.wsu.edu> <4q...@taco.cc.ncsu.edu> <31...@mpn.cp.philips.com>
Reply-To: willday@rom.oit.gatech.edu (Will Day)
NNTP-Posting-Host: rom.oit.gatech.edu
X-Newsreader: Trn version 3.6 (20 Nov 1994) NNTP

A short time ago, at a computer terminal far, far, away, Fiona Cox  wrote:
>Except that Apache does not support authentication "satisfy any" - as 
>NSCA does.
>This shortcoming is restricting - ie when you want to use a combination 
>of userid/password AND domain authentication.
>
>Has anyone else a requirement for Apache to include "satisfy any" ?????

This just came up recently with a server I help admin, where we wanted
to allow free access to on-campus hosts, but password-restrict to
off-campus hosts.  I was really surprised to find that Apache didn't 
support that feature, and didn't appear to be on the feature-list for
v1.1.  Although in the end I think we've decided to go with 
the NCSA server instead, since it supports the feature natively, I figured
it shouldn't be that hard to implement in Apache.  I managed to hack
it into the source for 1.0.5.  The diffs aren't too big, so I'm
including them below my .sig (compile with -DENABLE_SATISFY, or else
take out the #ifdef's).  As always, use at your own risk. :)

______________________________________________________________________________
Will Day       <PGP mail preferred>      OIT, Georgia Tech, Atlanta 30332-0715
willday@rom.oit.gatech.edu               http://rom.oit.gatech.edu/~willday/
     =-> Opinions expressed are mine alone and do not reflect OIT policy <-=
Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety.
    Benjamin Franklin, Pennsylvania Assembly, Nov. 11, 1755
______________________________________________________________________________

*** mod_access.c.orig	Sat Feb 17 03:32:08 1996
--- mod_access.c	Tue Jun 25 18:54:06 1996
***************
*** 77,82 ****
--- 77,85 ----
      int order[METHODS];
      array_header *allows;
      array_header *denys;
+ #ifdef ENABLE_SATISFY
+     char *satisfy;
+ #endif /* ENABLE_SATISFY */
  } access_dir_conf;
  
  module access_module;
***************
*** 90,99 ****
--- 93,127 ----
      for (i = 0; i < METHODS; ++i) conf->order[i] = DENY_THEN_ALLOW;
      conf->allows = make_array (p, 1, sizeof (allowdeny));
      conf->denys = make_array (p, 1, sizeof (allowdeny));
+ #ifdef ENABLE_SATISFY
+     conf->satisfy = NULL;
+ #endif /* ENABLE_SATISFY */
      
      return (void *)conf;
  }
  
+ #ifdef ENABLE_SATISFY
+ int satisfy_any (request_rec *r, int reset)
+ {
+     char *satisfy;
+     access_dir_conf *conf =
+       (access_dir_conf *)get_module_config(r->per_dir_config, &access_module);
+ 
+     if (!(satisfy = conf->satisfy))
+ 	return 0;
+ 
+     if (!strcasecmp(satisfy, "any")) {
+ 	if (reset) strcpy(satisfy, "all");
+ 	return 1;
+     }
+     else if (!strcasecmp(satisfy, "all"))
+ 	return 0;
+ 
+     log_error("Invalid satisfy value.", r->server);
+     return 0;
+ }
+ #endif /* ENABLE_SATISFY */
+ 
  char *order (cmd_parms *cmd, void *dv, char *arg)
  {
      access_dir_conf *d = (access_dir_conf *)dv;
***************
*** 134,139 ****
--- 162,171 ----
      "'from' followed by hostnames or IP-address wildcards" },
  { "deny", allow_cmd, NULL, OR_LIMIT, ITERATE2,
      "'from' followed by hostnames or IP-address wildcards" },
+ #ifdef ENABLE_SATISFY
+ { "Satisfy", set_string_slot, (void*)XtOffsetOf(access_dir_conf, satisfy), 
+     OR_AUTHCFG, TAKE1, NULL },
+ #endif /* ENABLE_SATISFY */
  {NULL}
  };
  
***************
*** 219,224 ****
--- 251,261 ----
      }
  
      if (ret == FORBIDDEN)
+ #ifdef ENABLE_SATISFY
+       if (satisfy_any(r, 1) && real_auth_type(r)) 
+ 	ret = OK;
+       else
+ #endif /* ENABLE_SATISFY */
  	log_reason ("Client denied by server configuration", r->filename, r);
  
      return ret;
*** http_core.c.orig	Sat Feb 17 03:35:30 1996
--- http_core.c	Tue Jun 25 18:43:58 1996
***************
*** 186,194 ****
--- 186,209 ----
      core_dir_config *conf = 
        (core_dir_config *)get_module_config(r->per_dir_config, &core_module); 
  
+ #ifdef ENABLE_SATISFY
+     if (satisfy_any(r, 0))
+        return NULL;
+     else
+ #endif /* ENABLE_SATISFY */
      return conf->auth_type;
  }
  
+ #ifdef ENABLE_SATISFY
+ char *real_auth_type (request_rec *r)
+ {
+     core_dir_config *conf = 
+       (core_dir_config *)get_module_config(r->per_dir_config, &core_module); 
+ 
+     return conf->auth_type;
+ }
+ #endif /* ENABLE_SATISFY */
+ 
  char *auth_name (request_rec *r)
  {
      core_dir_config *conf = 




--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS