You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2010/06/20 21:15:01 UTC
svn commit: r956387 - in /httpd/httpd/trunk: CHANGES STATUS
modules/aaa/mod_authz_core.c server/request.c
Author: sf
Date: Sun Jun 20 19:15:01 2010
New Revision: 956387
URL: http://svn.apache.org/viewvc?rev=956387&view=rev
Log:
Fix authorization by user or IP/ENV/...
Note ap_note_auth_failure() breakage in STATUS
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/STATUS
httpd/httpd/trunk/modules/aaa/mod_authz_core.c
httpd/httpd/trunk/server/request.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=956387&r1=956386&r2=956387&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Jun 20 19:15:01 2010
@@ -2,6 +2,9 @@
Changes with Apache 2.3.7
+ *) core: Try to proceed with authorization even if authentication failed.
+ This allows e.g. to authorize by user _or_ ip address. [Stefan Fritsch]
+
*) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]
*) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
Modified: httpd/httpd/trunk/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/STATUS?rev=956387&r1=956386&r2=956387&view=diff
==============================================================================
--- httpd/httpd/trunk/STATUS (original)
+++ httpd/httpd/trunk/STATUS Sun Jun 20 19:15:01 2010
@@ -67,15 +67,17 @@ RELEASE SHOWSTOPPERS:
* Modules without documentation need to be moved to experimental or be
removed.
- * There is no working equivalent to 'Satisfy any' to authorize by
- user _or_ IP address:
- http://mail-archives.apache.org/mod_mbox/httpd-dev/200912.mbox/<4B28E73C.4050209%40kippdata.de>
-
* Not all MPMs are updated to set conn_rec::current_thread correctly.
(Prefork, Worker, Event, Simple are updated).
jim sez: Then we just ship with those... mark any others as
experimental
+ * Fix or remove ap_note_auth_failure():
+ There are two incompatible sets of *note_*_auth_failure functions, one in
+ server/protocol.c, the other in mod_auth_*.c. The set in server/protocol.c
+ should be axed and ap_note_auth_failure() must either call the functions in
+ mod_auth_*.c or must be removed, too.
+
FOR NEXT ALPHA:
Modified: httpd/httpd/trunk/modules/aaa/mod_authz_core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_core.c?rev=956387&r1=956386&r2=956387&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_core.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_core.c Sun Jun 20 19:15:01 2010
@@ -754,7 +754,7 @@ static int authorize_user(request_rec *r
return OK;
}
else if (auth_result == AUTHZ_DENIED || auth_result == AUTHZ_NEUTRAL) {
- if (r->ap_auth_type == NULL) {
+ if (ap_auth_type(r) == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
"client denied by server configuration: %s%s",
r->filename ? "" : "uri ",
@@ -768,7 +768,8 @@ static int authorize_user(request_rec *r
r->user, r->uri);
/* If we're returning 403, tell them to try again. */
- ap_note_auth_failure(r);
+ /* XXX: ap_note_auth_failure is currently broken */
+ /*ap_note_auth_failure(r);*/
return HTTP_UNAUTHORIZED;
}
Modified: httpd/httpd/trunk/server/request.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=956387&r1=956386&r2=956387&view=diff
==============================================================================
--- httpd/httpd/trunk/server/request.c (original)
+++ httpd/httpd/trunk/server/request.c Sun Jun 20 19:15:01 2010
@@ -201,6 +201,7 @@ AP_DECLARE(int) ap_process_request_inter
r->ap_auth_type = r->main->ap_auth_type;
}
else {
+ char *failed_user = NULL;
switch (ap_satisfies(r)) {
case SATISFY_ALL:
case SATISFY_NOSPEC:
@@ -209,10 +210,21 @@ AP_DECLARE(int) ap_process_request_inter
}
if ((access_status = ap_run_check_user_id(r)) != OK) {
- return decl_die(access_status, "check user", r);
+ if (access_status == HTTP_UNAUTHORIZED) {
+ failed_user = r->user;
+ r->user = NULL;
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+ "authn failed with HTTP_UNAUTHORIZED, "
+ "trying authz without user");
+ }
+ else {
+ return decl_die(access_status, "check user", r);
+ }
}
if ((access_status = ap_run_auth_checker(r)) != OK) {
+ if (failed_user)
+ r->user = failed_user;
return decl_die(access_status, "check authorization", r);
}
break;
@@ -220,10 +232,21 @@ AP_DECLARE(int) ap_process_request_inter
if ((access_status = ap_run_access_checker(r)) != OK) {
if ((access_status = ap_run_check_user_id(r)) != OK) {
- return decl_die(access_status, "check user", r);
+ if (access_status == HTTP_UNAUTHORIZED) {
+ failed_user = r->user;
+ r->user = NULL;
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+ "authn failed with HTTP_UNAUTHORIZED, "
+ "trying authz without user");
+ }
+ else {
+ return decl_die(access_status, "check user", r);
+ }
}
if ((access_status = ap_run_auth_checker(r)) != OK) {
+ if (failed_user)
+ r->user = failed_user;
return decl_die(access_status, "check authorization", r);
}
}
Re: svn commit: r956387 - in /httpd/httpd/trunk: CHANGES STATUS modules/aaa/mod_authz_core.c server/request.c
Posted by Stefan Fritsch <sf...@sfritsch.de>.
On Monday 21 June 2010, Ruediger Pluem wrote:
> On 06/20/2010 09:15 PM, sf@apache.org wrote:
> > Author: sf
> > Date: Sun Jun 20 19:15:01 2010
> > New Revision: 956387
> >
> > URL: http://svn.apache.org/viewvc?rev=956387&view=rev
> > Log:
> > Fix authorization by user or IP/ENV/...
> > Note ap_note_auth_failure() breakage in STATUS
> >
> > Modified:
> > httpd/httpd/trunk/CHANGES
> > httpd/httpd/trunk/STATUS
> > httpd/httpd/trunk/modules/aaa/mod_authz_core.c
> > httpd/httpd/trunk/server/request.c
> >
> > Modified: httpd/httpd/trunk/server/request.c
> > URL:
> > http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?
> > rev=956387&r1=956386&r2=956387&view=diff
> > ================================================================
> > ============== --- httpd/httpd/trunk/server/request.c (original)
> > +++ httpd/httpd/trunk/server/request.c Sun Jun 20 19:15:01 2010
> > @@ -201,6 +201,7 @@ AP_DECLARE(int) ap_process_request_inter
> >
> > r->ap_auth_type = r->main->ap_auth_type;
> >
> > }
> > else {
> >
> > + char *failed_user = NULL;
> >
> > switch (ap_satisfies(r)) {
> > case SATISFY_ALL:
> >
> > case SATISFY_NOSPEC:
> > @@ -209,10 +210,21 @@ AP_DECLARE(int) ap_process_request_inter
> >
> > }
> >
> > if ((access_status = ap_run_check_user_id(r)) != OK)
> > {
> >
> > - return decl_die(access_status, "check user", r);
> > + if (access_status == HTTP_UNAUTHORIZED) {
> > + failed_user = r->user;
> > + r->user = NULL;
>
> Question: Is this an API change? I mean can authn modules be
> expected to handle r->user == NULL?
The standard modules all handle it, albeit with a somewhat noisy error
log message. But in fact I have overlooked the fact that it is still
possible to have authz modules use the 2.2.x-style hooks instead of
the new provider interface. Therefore this change should at least be
documented on the API changes page.
In any case the change needs some more testing. It's possible that
there are some problems because the mod_auth_* may set err_headers_out
even if it later turns out that no authentication is needed. Maybe the
change to err_headers_out needs to be undone in that case.
Cheers,
Stefan
Re: svn commit: r956387 - in /httpd/httpd/trunk: CHANGES STATUS modules/aaa/mod_authz_core.c
server/request.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 06/20/2010 09:15 PM, sf@apache.org wrote:
> Author: sf
> Date: Sun Jun 20 19:15:01 2010
> New Revision: 956387
>
> URL: http://svn.apache.org/viewvc?rev=956387&view=rev
> Log:
> Fix authorization by user or IP/ENV/...
> Note ap_note_auth_failure() breakage in STATUS
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/STATUS
> httpd/httpd/trunk/modules/aaa/mod_authz_core.c
> httpd/httpd/trunk/server/request.c
>
> Modified: httpd/httpd/trunk/server/request.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=956387&r1=956386&r2=956387&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/server/request.c (original)
> +++ httpd/httpd/trunk/server/request.c Sun Jun 20 19:15:01 2010
> @@ -201,6 +201,7 @@ AP_DECLARE(int) ap_process_request_inter
> r->ap_auth_type = r->main->ap_auth_type;
> }
> else {
> + char *failed_user = NULL;
> switch (ap_satisfies(r)) {
> case SATISFY_ALL:
> case SATISFY_NOSPEC:
> @@ -209,10 +210,21 @@ AP_DECLARE(int) ap_process_request_inter
> }
>
> if ((access_status = ap_run_check_user_id(r)) != OK) {
> - return decl_die(access_status, "check user", r);
> + if (access_status == HTTP_UNAUTHORIZED) {
> + failed_user = r->user;
> + r->user = NULL;
Question: Is this an API change? I mean can authn modules be expected to handle r->user == NULL?
Regards
RĂ¼diger