You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2009/03/19 21:36:42 UTC
test framework/mod_authany's check user id hook vs. mod_ssl's
mod_authany's check user id hook is registered to run APR_HOOK_FIRST, as is
mod_ssl's.
mod_ssl's check user id hook needs to run before anything else that *uses*
basic auth because it can create basic auth information from the
certificate, for processing by "normal" check user id hooks.
Like practically all check user id hooks, mod_authany's hook operates on
existing basic auth information, so it must run after mod_ssl's hook.
I don't have a crisp understanding of why mod_authany's check user id hook
should be registered to run APR_HOOK_FIRST. Any comments on that? I'll try
to think on that some more.
Note that while the current, single APR_HOOK_FIRST specification applies to
both check user id and auth checker hooks, in the original implementation of
the module APR_HOOK_FIRST was individually specified for both. (changes to
framework magic, apparently to work with Apache 1.3) So the double
application of APR_HOOK_FIRST isn't a hint.
Beyond the mod_authany question, why doesn't mod_ssl declare its check user
id hook really-first if it can generate the basic auth? (Let the extremely
limited number of modules which generate basic auth headers fight it out via
predecessor/successor lists.)
assert(A change to the mod_ssl hook ordering could theoretically break
existing modules, so that should be for future releases only.)
assert(Whatever is done in mod_ssl, the <2.3 logic in mod_authany needs to
ensure that its check user id hook runs after mod_ssl's.)
Re: test framework/mod_authany's check user id hook vs. mod_ssl's
Posted by Jeff Trawick <tr...@gmail.com>.
2009/3/20 Oden Eriksson <od...@envitory.se>
> torsdag 19 mars 2009 21:36:42 skrev Jeff Trawick:
>
> [...]
>
> I keep getting:
>
> t/modules/include...........ok 46/88# Failed test 67 in t/modules/include.t
> at
> line 396
>
> On Mandriva Linux (cooker)
AFAICT, that observation is completely independent of this particular
discussion thread ;)
if that's all that fails for you, be happy; I see that one and others in
various modules before/after my mod_authany change
maybe you can minimize the skipped tests (by adding additional httpd or Perl
modules, if practical) and start a new thread on what failures you're
seeing? (and which tree -- trunk or 2.2.x)
Re: test framework/mod_authany's check user id hook vs. mod_ssl's
Posted by Oden Eriksson <od...@envitory.se>.
fredag 20 mars 2009 17:09:43 skrev Plüm, Rüdiger, VF-Group:
> > -----Ursprüngliche Nachricht-----
> > Von: Oden Eriksson
> > Gesendet: Freitag, 20. März 2009 16:53
> > An: dev@httpd.apache.org
> > Betreff: Re: test framework/mod_authany's check user id hook
> > vs. mod_ssl's
> >
> > torsdag 19 mars 2009 21:36:42 skrev Jeff Trawick:
> >
> > [...]
> >
> > I keep getting:
> >
> > t/modules/include...........ok 46/88# Failed test 67 in
> > t/modules/include.t at
> > line 396
>
> This has nothing to do with Jeff's changes.
> This is caused by r755261 which is a test case for
> PR 39369. This bug isn't fixed on trunk and 2.2.x.
>
> Regards
>
> Rüdiger
Thanks Rüdiger,
The patch by Joe Orton attached to that bugreport made that test pass for me.
Sorry for being OT.
--
Regards // Oden Eriksson
This email has been processed by SmoothZap - www.smoothwall.net
Re: test framework/mod_authany's check user id hook vs. mod_ssl's
Posted by "Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>.
> -----Ursprüngliche Nachricht-----
> Von: Oden Eriksson
> Gesendet: Freitag, 20. März 2009 16:53
> An: dev@httpd.apache.org
> Betreff: Re: test framework/mod_authany's check user id hook
> vs. mod_ssl's
>
> torsdag 19 mars 2009 21:36:42 skrev Jeff Trawick:
>
> [...]
>
> I keep getting:
>
> t/modules/include...........ok 46/88# Failed test 67 in
> t/modules/include.t at
> line 396
This has nothing to do with Jeff's changes.
This is caused by r755261 which is a test case for
PR 39369. This bug isn't fixed on trunk and 2.2.x.
Regards
Rüdiger
Re: test framework/mod_authany's check user id hook vs. mod_ssl's
Posted by Oden Eriksson <od...@envitory.se>.
torsdag 19 mars 2009 21:36:42 skrev Jeff Trawick:
[...]
I keep getting:
t/modules/include...........ok 46/88# Failed test 67 in t/modules/include.t at
line 396
On Mandriva Linux (cooker)
--
Regards // Oden Eriksson
This email has been processed by SmoothZap - www.smoothwall.net
Re: test framework/mod_authany's check user id hook vs. mod_ssl's
Posted by Jeff Trawick <tr...@gmail.com>.
On Thu, Mar 19, 2009 at 4:36 PM, Jeff Trawick <tr...@gmail.com> wrote:
assert(Whatever is done in mod_ssl, the <2.3 logic in mod_authany needs to
> ensure that its check user id hook runs after mod_ssl's.)
>
>
I'm going with this code in mod_authany for Apache 2.0/2.2 as soon as it
checks out okay on more trees:
+static void extra_hooks(apr_pool_t *p)
+{
+ static const char * const modssl_runs_before[] = {"mod_ssl.c", NULL};
+
+ ap_hook_check_user_id(authany_handler, modssl_runs_before, NULL,
+ APR_HOOK_FIRST);
+ ap_hook_auth_checker(require_any_user, NULL, NULL, APR_HOOK_FIRST);
+}
Reversing the order of (modssl_runs_before, NULL) does show failure of
ssl/fakeauth and ssl/basicauth; the order in the code above works.
--
Born in Roswell... married an alien...
Re: test framework/mod_authany's check user id hook vs. mod_ssl's
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Joe Orton wrote:
> On Thu, Mar 19, 2009 at 04:36:42PM -0400, Jeff Trawick wrote:
>> Beyond the mod_authany question, why doesn't mod_ssl declare its check user
>> id hook really-first if it can generate the basic auth? (Let the extremely
>> limited number of modules which generate basic auth headers fight it out via
>> predecessor/successor lists.)
>
> I doubt much thought has gone into it.
>
> Since, as you say, all the FakeBasic code needs to happen before the
> real check_user_id hooks run, I'd reckon it would make more sense to
> move it to e.g. the post_read_request hook (ssl_hook_ReadReq), rather
> than trying harder to win the hook ordering game?
For that matter, why does SSLRequire still exist? Has nothing to do at
all with SSL ;-) Perhaps it's time to start doing what Mr Laurie wanted
to accomplish in the first place, and (saving functionality elsewhere)
pare mod_ssl to the bone of what it is meant to do? socache was a good
start, obviously :)
Re: test framework/mod_authany's check user id hook vs. mod_ssl's
Posted by Joe Orton <jo...@redhat.com>.
On Thu, Mar 19, 2009 at 04:36:42PM -0400, Jeff Trawick wrote:
> Beyond the mod_authany question, why doesn't mod_ssl declare its check user
> id hook really-first if it can generate the basic auth? (Let the extremely
> limited number of modules which generate basic auth headers fight it out via
> predecessor/successor lists.)
I doubt much thought has gone into it.
Since, as you say, all the FakeBasic code needs to happen before the
real check_user_id hooks run, I'd reckon it would make more sense to
move it to e.g. the post_read_request hook (ssl_hook_ReadReq), rather
than trying harder to win the hook ordering game?
Regards, Joe