You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bn...@apache.org on 2006/01/11 15:31:02 UTC
svn commit: r368027 [1/3] - in /httpd/httpd/trunk: docs/conf/
docs/conf/extra/ docs/manual/developer/ docs/manual/mod/ include/
modules/aaa/ server/
Author: bnicholes
Date: Wed Jan 11 06:30:28 2006
New Revision: 368027
URL: http://svn.apache.org/viewcvs?rev=368027&view=rev
Log:
Authz refactoring
Merge from branches/authz-dev
Basically here is a list of what has been done:
- Convert all of the authz modules from hook based to provider based
- Remove the ap_requires field from the core_dir_config structure
- Remove the function ap_requires() since its functionality is no
longer supported or necessary in the refactoring
- Remove the calls to ap_some_auth_required() in the core request
handling to allow the hooks to be called in all cases.
- Add the new module mod_authz_core which will act as the authorization
provider vector and contain common authz directives such as 'Require',
'Reject' and '<RequireAlias>'
- Add the new module mod_authn_core which will contain common
authentication directives such as 'AuthType', 'AuthName' and
'<AuthnProviderAlias>'
- Move the check for METHOD_MASK out of the authz providers and into
the authz_core provider vector
- Define the status codes that can be returned by the authz providers
as AUTHZ_DENIED, AUTHZ_GRANTED and AUTHZ_GENERAL_ERROR
- Remove the 'Satisfy' directive
- Implement the '<RequireAll>', '<RequireOne>' block directives to
handle the 'and' and 'or' logic for authorization.
- Remove the 'AuthzXXXAuthoritative' directives from all of the authz
providers
- Implement the 'Reject' directive that will deny authorization if the
argument is true
- Fold the 'Reject' directive into the '<RequireAll>', '<RequireOne>'
logic
- Reimplement the host based authorization functionality provided by
'allow', 'deny' and 'order' as authz providers
- Remove the 'allow', 'deny' and 'order' directives
- Merge mod_authn_alias into mod_authn_core
- Add '<RequireAlias>' functionality which is similar to
'<AuthnProviderAlias>' but specific to authorization aliasing
- Remove all of the references to the 'authzxxxAuthoritative'
directives from the documentation
- Remove the 'Satisfy' directive from the documentation
- Remove 'Allow', 'Deny', 'Order' directives from the documentation
- Document '<RequireAll>', '<RequireOne>', 'Reject' directives
- Reimplement the APIs ap_auth_type(), ap_auth_name() as optional
functions and move the actual implementation into mod_authn_core
- Reimplement the API ap_some_auth_required() as an optional function
and move the actual implementation into mod_authz_core
Major Changes:
- Added the directives <RequireAll>, <RequireOne>, <RequireAlias>,
Reject
- Expanded the functionality of the directive 'Require' to handle all
authorization and access control
- Added the new authz providers 'env', 'ip', 'host', 'all' to handle
host-based access control
- Removed the directives 'Allow', 'Deny', 'Order', 'Satisfy',
'AuthzXXXAuthoritative'
- Removed the ap_require() API
- Moved the directives 'AuthType', 'AuthName' out of mod_core and into
mod_authn_core
- Moved the directive 'Require' out of mod_core and into
mod_authz_core
- Merged mod_authn_alias into mod_authn_core
- Renamed mod_authz_dbm authz providers from 'group' and 'file-group'
to 'dbm-group' and 'dbm-file-group'
Benefits:
- All authorization and access control is now handle through two
directives, 'Require' and 'Reject'
- Authorization has been expanded to allow for complex 'AND/OR' control
logic through the directives '<RequireAll>' and '<RequireOne>'
- Configuration is now much simpler and consistent across the board
- Other modules like mod_ssl and mod_proxy should be able to plug into
and take advantage of the same provider based authorization mechanism
by implementing their own providers
Issues:
- Backwards compatibility between 2.2 and 2.3 configurations will be
broken in the area of authorization and access control due to the fact
that the directives 'allow', 'deny', 'order' and 'satisfy' have been
removed. When moving from 2.2 to 2.3 these directives will have to be
changed to 'Require all granted', 'Require all denied' or some variation
of the authz host-based providers.
- Existing third party authorization modules will have to adapt to the
new structure.
Added:
httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml
- copied unchanged from r360213, httpd/httpd/branches/authz-dev/docs/manual/mod/mod_authn_core.xml
httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml.meta
- copied unchanged from r360213, httpd/httpd/branches/authz-dev/docs/manual/mod/mod_authn_core.xml.meta
httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
- copied, changed from r360213, httpd/httpd/branches/authz-dev/docs/manual/mod/mod_authz_core.xml
httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml.meta
- copied unchanged from r360213, httpd/httpd/branches/authz-dev/docs/manual/mod/mod_authz_core.xml.meta
httpd/httpd/trunk/modules/aaa/NWGNUauthncore
- copied unchanged from r360213, httpd/httpd/branches/authz-dev/modules/aaa/NWGNUauthncore
httpd/httpd/trunk/modules/aaa/NWGNUauthzcore
- copied unchanged from r360213, httpd/httpd/branches/authz-dev/modules/aaa/NWGNUauthzcore
httpd/httpd/trunk/modules/aaa/mod_authn_core.c
- copied, changed from r360213, httpd/httpd/branches/authz-dev/modules/aaa/mod_authn_core.c
httpd/httpd/trunk/modules/aaa/mod_authz_core.c
- copied, changed from r360213, httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_core.c
Modified:
httpd/httpd/trunk/docs/conf/extra/httpd-autoindex.conf.in
httpd/httpd/trunk/docs/conf/extra/httpd-dav.conf.in
httpd/httpd/trunk/docs/conf/extra/httpd-info.conf.in
httpd/httpd/trunk/docs/conf/extra/httpd-manual.conf.in
httpd/httpd/trunk/docs/conf/extra/httpd-multilang-errordoc.conf.in
httpd/httpd/trunk/docs/conf/extra/httpd-userdir.conf.in
httpd/httpd/trunk/docs/conf/httpd.conf.in
httpd/httpd/trunk/docs/manual/developer/request.xml
httpd/httpd/trunk/docs/manual/mod/allmodules.xml
httpd/httpd/trunk/docs/manual/mod/core.xml
httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml
httpd/httpd/trunk/docs/manual/mod/mod_authn_alias.xml
httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml
httpd/httpd/trunk/docs/manual/mod/mod_authz_dbm.xml
httpd/httpd/trunk/docs/manual/mod/mod_authz_groupfile.xml
httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml
httpd/httpd/trunk/docs/manual/mod/mod_authz_owner.xml
httpd/httpd/trunk/docs/manual/mod/mod_authz_user.xml
httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml
httpd/httpd/trunk/include/ap_mmn.h
httpd/httpd/trunk/include/http_core.h
httpd/httpd/trunk/modules/aaa/NWGNUmakefile
httpd/httpd/trunk/modules/aaa/config.m4
httpd/httpd/trunk/modules/aaa/mod_auth.h
httpd/httpd/trunk/modules/aaa/mod_auth_basic.c
httpd/httpd/trunk/modules/aaa/mod_authn_default.c
httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c
httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c
httpd/httpd/trunk/modules/aaa/mod_authz_default.c
httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c
httpd/httpd/trunk/modules/aaa/mod_authz_host.c
httpd/httpd/trunk/modules/aaa/mod_authz_owner.c
httpd/httpd/trunk/modules/aaa/mod_authz_user.c
httpd/httpd/trunk/server/core.c
httpd/httpd/trunk/server/request.c
Modified: httpd/httpd/trunk/docs/conf/extra/httpd-autoindex.conf.in
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/conf/extra/httpd-autoindex.conf.in?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/conf/extra/httpd-autoindex.conf.in (original)
+++ httpd/httpd/trunk/docs/conf/extra/httpd-autoindex.conf.in Wed Jan 11 06:30:28 2006
@@ -22,8 +22,7 @@
<Directory "@exp_iconsdir@">
Options Indexes MultiViews
AllowOverride None
- Order allow,deny
- Allow from all
+ Require all granted
</Directory>
#
Modified: httpd/httpd/trunk/docs/conf/extra/httpd-dav.conf.in
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/conf/extra/httpd-dav.conf.in?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/conf/extra/httpd-dav.conf.in (original)
+++ httpd/httpd/trunk/docs/conf/extra/httpd-dav.conf.in Wed Jan 11 06:30:28 2006
@@ -24,6 +24,7 @@
# You can use the htdigest program to create the password database:
# htdigest -c "@@ServerRoot@@/user.passwd" DAV-upload admin
AuthUserFile "@@ServerRoot@@/user.passwd"
+ AuthDigestProvider file
# Allow universal read-access, but writes are restricted
# to the admin user.
Modified: httpd/httpd/trunk/docs/conf/extra/httpd-info.conf.in
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/conf/extra/httpd-info.conf.in?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/conf/extra/httpd-info.conf.in (original)
+++ httpd/httpd/trunk/docs/conf/extra/httpd-info.conf.in Wed Jan 11 06:30:28 2006
@@ -12,9 +12,7 @@
<Location /server-status>
SetHandler server-status
- Order deny,allow
- Deny from all
- Allow from .example.com
+ Require host .example.com
</Location>
#
@@ -31,7 +29,5 @@
#
<Location /server-info>
SetHandler server-info
- Order deny,allow
- Deny from all
- Allow from .example.com
+ Require host .example.com
</Location>
Modified: httpd/httpd/trunk/docs/conf/extra/httpd-manual.conf.in
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/conf/extra/httpd-manual.conf.in?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/conf/extra/httpd-manual.conf.in (original)
+++ httpd/httpd/trunk/docs/conf/extra/httpd-manual.conf.in Wed Jan 11 06:30:28 2006
@@ -12,8 +12,7 @@
<Directory "@exp_manualdir@">
Options Indexes
AllowOverride None
- Order allow,deny
- Allow from all
+ Require all granted
<Files *.html>
SetHandler type-map
Modified: httpd/httpd/trunk/docs/conf/extra/httpd-multilang-errordoc.conf.in
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/conf/extra/httpd-multilang-errordoc.conf.in?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/conf/extra/httpd-multilang-errordoc.conf.in (original)
+++ httpd/httpd/trunk/docs/conf/extra/httpd-multilang-errordoc.conf.in Wed Jan 11 06:30:28 2006
@@ -26,8 +26,7 @@
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
- Order allow,deny
- Allow from all
+ Require all granted
LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
ForceLanguagePriority Prefer Fallback
</Directory>
Modified: httpd/httpd/trunk/docs/conf/extra/httpd-userdir.conf.in
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/conf/extra/httpd-userdir.conf.in?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/conf/extra/httpd-userdir.conf.in (original)
+++ httpd/httpd/trunk/docs/conf/extra/httpd-userdir.conf.in Wed Jan 11 06:30:28 2006
@@ -17,12 +17,10 @@
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
- Order allow,deny
- Allow from all
+ Require all granted
</Limit>
<LimitExcept GET POST OPTIONS>
- Order deny,allow
- Deny from all
+ Require all denied
</LimitExcept>
</Directory>
Modified: httpd/httpd/trunk/docs/conf/httpd.conf.in
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/conf/httpd.conf.in?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/conf/httpd.conf.in (original)
+++ httpd/httpd/trunk/docs/conf/httpd.conf.in Wed Jan 11 06:30:28 2006
@@ -112,8 +112,7 @@
<Directory />
Options FollowSymLinks
AllowOverride None
- Order deny,allow
- Deny from all
+ Require all denied
</Directory>
#
@@ -151,8 +150,7 @@
#
# Controls who can get stuff from this server.
#
- Order allow,deny
- Allow from all
+ Require all granted
</Directory>
@@ -169,9 +167,7 @@
# viewed by Web clients.
#
<FilesMatch "^\.ht">
- Order allow,deny
- Deny from all
- Satisfy All
+ Require all denied
</FilesMatch>
#
@@ -265,8 +261,7 @@
<Directory "@exp_cgidir@">
AllowOverride None
Options None
- Order allow,deny
- Allow from all
+ Require all granted
</Directory>
#
Modified: httpd/httpd/trunk/docs/manual/developer/request.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/developer/request.xml?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/developer/request.xml (original)
+++ httpd/httpd/trunk/docs/manual/developer/request.xml Wed Jan 11 06:30:28 2006
@@ -149,56 +149,18 @@
<p>Needs Documentation. Code is:</p>
<example><pre>
-switch (ap_satisfies(r)) {
-case SATISFY_ALL:
-case SATISFY_NOSPEC:
- if ((access_status = ap_run_access_checker(r)) != 0) {
- return decl_die(access_status, "check access", r);
- }
-
- if (ap_some_auth_required(r)) {
- if (((access_status = ap_run_check_user_id(r)) != 0)
- || !ap_auth_type(r)) {
- return decl_die(access_status, ap_auth_type(r)
- ? "check user. No user file?"
- : "perform authentication. AuthType not set!",
- r);
- }
-
- if (((access_status = ap_run_auth_checker(r)) != 0)
- || !ap_auth_type(r)) {
- return decl_die(access_status, ap_auth_type(r)
- ? "check access. No groups file?"
- : "perform authentication. AuthType not set!",
- r);
- }
- }
- break;
-
-case SATISFY_ANY:
- if (((access_status = ap_run_access_checker(r)) != 0)) {
- if (!ap_some_auth_required(r)) {
+ if ((access_status = ap_run_access_checker(r)) != 0) {
return decl_die(access_status, "check access", r);
}
- if (((access_status = ap_run_check_user_id(r)) != 0)
- || !ap_auth_type(r)) {
- return decl_die(access_status, ap_auth_type(r)
- ? "check user. No user file?"
- : "perform authentication. AuthType not set!",
- r);
+ if ((access_status = ap_run_check_user_id(r)) != 0) {
+ return decl_die(access_status, "check user", r);
}
- if (((access_status = ap_run_auth_checker(r)) != 0)
- || !ap_auth_type(r)) {
- return decl_die(access_status, ap_auth_type(r)
- ? "check access. No groups file?"
- : "perform authentication. AuthType not set!",
- r);
+ if ((access_status = ap_run_auth_checker(r)) != 0) {
+ return decl_die(access_status, "check authorization", r);
}
- }
- break;
-}</pre>
+ </pre>
</example>
</section>
Modified: httpd/httpd/trunk/docs/manual/mod/allmodules.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/allmodules.xml?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/allmodules.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/allmodules.xml Wed Jan 11 06:30:28 2006
@@ -9,11 +9,13 @@
<modulefile>mod_auth_digest.xml</modulefile>
<modulefile>mod_authn_alias.xml</modulefile>
<modulefile>mod_authn_anon.xml</modulefile>
+ <modulefile>mod_authn_core.xml</modulefile>
<modulefile>mod_authn_dbd.xml</modulefile>
<modulefile>mod_authn_dbm.xml</modulefile>
<modulefile>mod_authn_default.xml</modulefile>
<modulefile>mod_authn_file.xml</modulefile>
<modulefile>mod_authnz_ldap.xml</modulefile>
+ <modulefile>mod_authz_core.xml</modulefile>
<modulefile>mod_authz_dbd.xml</modulefile>
<modulefile>mod_authz_dbm.xml</modulefile>
<modulefile>mod_authz_default.xml</modulefile>
Modified: httpd/httpd/trunk/docs/manual/mod/core.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/core.xml?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/core.xml Wed Jan 11 06:30:28 2006
@@ -470,69 +470,6 @@
</directivesynopsis>
<directivesynopsis>
-<name>AuthName</name>
-<description>Authorization realm for use in HTTP
-authentication</description>
-<syntax>AuthName <var>auth-domain</var></syntax>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>This directive sets the name of the authorization realm for a
- directory. This realm is given to the client so that the user
- knows which username and password to send.
- <directive>AuthName</directive> takes a single argument; if the
- realm name contains spaces, it must be enclosed in quotation
- marks. It must be accompanied by <directive
- module="core">AuthType</directive> and <directive
- module="core">Require</directive> directives, and directives such
- as <directive module="mod_authn_file">AuthUserFile</directive> and
- <directive module="mod_authz_groupfile">AuthGroupFile</directive> to
- work.</p>
-
- <p>For example:</p>
-
- <example>
- AuthName "Top Secret"
- </example>
-
- <p>The string provided for the <code>AuthName</code> is what will
- appear in the password dialog provided by most browsers.</p>
-</usage>
-<seealso><a
- href="../howto/auth.html">Authentication, Authorization, and
- Access Control</a></seealso>
-</directivesynopsis>
-
-<directivesynopsis>
-<name>AuthType</name>
-<description>Type of user authentication</description>
-<syntax>AuthType Basic|Digest</syntax>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>This directive selects the type of user authentication for a
- directory. The authentication types available are
- <code>Basic</code> (implemented by
- <module>mod_auth_basic</module>) and <code>Digest</code>
- (implemented by <module>mod_auth_digest</module>).</p>
-
- <p>To implement authentication, you must also use the <directive
- module="core">AuthName</directive> and <directive
- module="core">Require</directive> directives. In addition, the
- server must have an authentication-provider module such as
- <module>mod_authn_file</module> and an authorization module such
- as <module>mod_authz_user</module>.</p>
-</usage>
-
-<seealso><a href="../howto/auth.html">Authentication, Authorization,
- and Access Control</a></seealso>
-</directivesynopsis>
-
-<directivesynopsis>
<name>CGIMapExtension</name>
<description>Technique for locating the interpreter for CGI
scripts</description>
@@ -2392,101 +2329,6 @@
</directivesynopsis>
<directivesynopsis>
-<name>Require</name>
-<description>Selects which authenticated users can access
-a resource</description>
-<syntax>Require <var>entity-name</var> [<var>entity-name</var>] ...</syntax>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>This directive selects which authenticated users can access a
- resource. The restrictions are processed by authorization
- modules. Some of the allowed syntaxes provided by
- <module>mod_authz_user</module> and
- <module>mod_authz_groupfile</module> are:</p>
-
- <dl>
- <dt><code>Require user <var>userid</var> [<var>userid</var>]
- ...</code></dt>
- <dd>Only the named users can access the resource.</dd>
-
- <dt><code>Require group <var>group-name</var> [<var>group-name</var>]
- ...</code></dt>
- <dd>Only users in the named groups can access the resource.</dd>
-
- <dt><code>Require valid-user</code></dt>
- <dd>All valid users can access the resource.</dd>
- </dl>
-
- <p>Other authorization modules that implement require options
- include <module>mod_authnz_ldap</module>,
- <module>mod_authz_dbm</module>, and
- <module>mod_authz_owner</module>.</p>
-
- <p><directive>Require</directive> must be accompanied by
- <directive module="core">AuthName</directive> and <directive
- module="core">AuthType</directive> directives, and directives such
- as <directive module="mod_authn_file">AuthUserFile</directive>
- and <directive module="mod_authz_groupfile">AuthGroupFile</directive> (to
- define users and groups) in order to work correctly. Example:</p>
-
- <example>
- AuthType Basic<br />
- AuthName "Restricted Resource"<br />
- AuthUserFile /web/users<br />
- AuthGroupFile /web/groups<br />
- Require group admin
- </example>
-
- <p>Access controls which are applied in this way are effective for
- <strong>all</strong> methods. <strong>This is what is normally
- desired.</strong> If you wish to apply access controls only to
- specific methods, while leaving other methods unprotected, then
- place the <directive>Require</directive> statement into a
- <directive module="core" type="section">Limit</directive>
- section.</p>
-
- <p>If <directive>Require</directive> is used together with
- the <directive module="mod_authz_host">Allow</directive> or
- <directive module="mod_authz_host">Deny</directive> directives,
- then the interaction of these restrictions is controlled by
- the <directive module="core">Satisfy</directive> directive.</p>
-
- <note><title>Removing controls in subdirectories</title>
- <p>The following example shows how to use the <directive
- module="core">Satisfy</directive> directive to disable access
- controls in a subdirectory of a protected directory. This
- technique should be used with caution, because it will also
- disable any access controls imposed by
- <module>mod_authz_host</module>.</p>
- <example>
- <Directory /path/to/protected/><br />
- <indent>
- Require user david<br />
- </indent>
- </Directory><br />
- <Directory /path/to/protected/unprotected><br />
- <indent>
- # All access controls and authentication are disabled<br />
- # in this directory<br />
- Satisfy Any<br />
- Allow from all<br />
- </indent>
- </Directory><br />
- </example>
- </note>
-
-</usage>
-
-<seealso><a href="../howto/auth.html">Authentication, Authorization,
- and Access Control</a></seealso>
-<seealso><directive module="core">Satisfy</directive></seealso>
-<seealso><module>mod_authz_host</module></seealso>
-</directivesynopsis>
-
-<directivesynopsis>
<name>RLimitCPU</name>
<description>Limits the CPU consumption of processes launched
by Apache children</description>
@@ -2591,55 +2433,6 @@
</usage>
<seealso><directive module="core">RLimitMEM</directive></seealso>
<seealso><directive module="core">RLimitCPU</directive></seealso>
-</directivesynopsis>
-
-<directivesynopsis>
-<name>Satisfy</name>
-<description>Interaction between host-level access control and
-user authentication</description>
-<syntax>Satisfy Any|All</syntax>
-<default>Satisfy All</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-<compatibility>Influenced by <directive module="core" type="section"
->Limit</directive> and <directive module="core"
-type="section">LimitExcept</directive> in version 2.0.51 and
-later</compatibility>
-
-<usage>
- <p>Access policy if both <directive
- module="mod_authz_host">Allow</directive> and <directive
- module="core">Require</directive> used. The parameter can be
- either <code>All</code> or <code>Any</code>. This directive is only
- useful if access to a particular area is being restricted by both
- username/password <em>and</em> client host address. In this case
- the default behavior (<code>All</code>) is to require that the client
- passes the address access restriction <em>and</em> enters a valid
- username and password. With the <code>Any</code> option the client will be
- granted access if they either pass the host restriction or enter a
- valid username and password. This can be used to password restrict
- an area, but to let clients from particular addresses in without
- prompting for a password.</p>
-
- <p>For example, if you wanted to let people on your network have
- unrestricted access to a portion of your website, but require that
- people outside of your network provide a password, you could use a
- configuration similar to the following:</p>
-
- <example>
- Require valid-user<br />
- Allow from 192.168.1<br />
- Satisfy Any
- </example>
-
- <p>Since version 2.0.51 <directive>Satisfy</directive> directives can
- be restricted to particular methods by <directive module="core"
- type="section">Limit</directive> and <directive module="core" type="section"
- >LimitExcept</directive> sections.</p>
-</usage>
- <seealso><directive module="mod_authz_host">Allow</directive></seealso>
- <seealso><directive module="core">Require</directive></seealso>
</directivesynopsis>
<directivesynopsis>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml Wed Jan 11 06:30:28 2006
@@ -38,7 +38,6 @@
<seealso><directive module="core">AuthName</directive></seealso>
<seealso><directive module="core">AuthType</directive></seealso>
<seealso><directive module="core">Require</directive></seealso>
-<seealso><directive module="core">Satisfy</directive></seealso>
<seealso><a href="../howto/auth.html">Authentication howto</a></seealso>
<section id="using"><title>Using Digest Authentication</title>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authn_alias.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_authn_alias.xml?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authn_alias.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authn_alias.xml Wed Jan 11 06:30:28 2006
@@ -76,7 +76,6 @@
AuthType Basic<br />
AuthName LDAP_Protected_Place<br />
- AuthzLDAPAuthoritative off<br />
require valid-user<br />
</indent>
</Directory><br />
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authnz_ldap.xml Wed Jan 11 06:30:28 2006
@@ -301,9 +301,7 @@
<p>If this directive exists, <module>mod_authnz_ldap</module> grants
access to any user that has successfully authenticated during the
search/bind phase. Requires that <module>mod_authz_user</module> be
- loaded and that the
- <directive module="mod_authnz_ldap">AuthzLDAPAuthoritative</directive>
- directive be set to off.</p>
+ loaded.</p>
</section>
<section id="requser"><title>require ldap-user</title>
@@ -573,17 +571,10 @@
that gets created in the web</p>
<example><pre>
AuthLDAPURL "the url"
-AuthzLDAPAuthoritative off
AuthGroupFile <em>mygroupfile</em>
require group <em>mygroupfile</em>
</pre></example>
- <p><directive module="mod_authnz_ldap">AuthzLDAPAuthoritative</directive>
- must be off to allow <module>mod_authnz_ldap</module> to decline group
- authentication so that Apache will fall back to file
- authentication for checking group membership. This allows the
- FrontPage-managed group file to be used.</p>
-
<section id="howitworks"><title>How It Works</title>
<p>FrontPage restricts access to a web by adding the <code>require
@@ -642,25 +633,6 @@
</ul>
</section>
</section>
-
-<directivesynopsis>
-<name>AuthzLDAPAuthoritative</name>
-<description>Prevent other authentication modules from
-authenticating the user if this one fails</description>
-<syntax>AuthzLDAPAuthoritative on|off</syntax>
-<default>AuthzLDAPAuthoritative on</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>Set to <code>off</code> if this module should let other
- authentication modules attempt to authenticate the user, should
- authentication with this module fail. Control is only passed on
- to lower modules if there is no DN or rule that matches the
- supplied user name (as passed by the client).</p>
-</usage>
-</directivesynopsis>
<directivesynopsis>
<name>AuthLDAPBindDN</name>
Copied: httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml (from r360213, httpd/httpd/branches/authz-dev/docs/manual/mod/mod_authz_core.xml)
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml?p2=httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml&p1=httpd/httpd/branches/authz-dev/docs/manual/mod/mod_authz_core.xml&r1=360213&r2=368027&rev=368027&view=diff
==============================================================================
--- httpd/httpd/branches/authz-dev/docs/manual/mod/mod_authz_core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml Wed Jan 11 06:30:28 2006
@@ -134,25 +134,25 @@
</directivesynopsis>
<directivesynopsis type="section">
-<name>RequireAll</name>
+<name>SatisfyAll</name>
<description>Enclose a group of authorization directives that must all
be satisfied in order to grant access to a resource. This block allows
for 'AND' logic to be applied to various authorization providers.</description>
-<syntax><RequireAll>
-... </RequireAll></syntax>
+<syntax><SatisfyAll>
+... </SatisfyAll></syntax>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<usage>
- <p><directive type="section">RequireAll</directive> and
- <code></RequireAll></code> are used to enclose a group of
+ <p><directive type="section">SatisfyAll</directive> and
+ <code></SatisfyAll></code> are used to enclose a group of
authorization directives that must all be satisfied in order to
grant access to a resource.</p>
<p>The <directive module="mod_authz_core">
- <RequireAll></directive> block as well as the
- <directive module="mod_authz_core"><RequireOne></directive> block
+ <SatisfyAll></directive> block as well as the
+ <directive module="mod_authz_core"><SatisfyOne></directive> block
allow you to apply "AND" and "OR" logic to the authorization processing.
For example the following authorization block would apply the logic:</p>
@@ -173,14 +173,14 @@
AuthBasicProvider ...<br />
...<br />
Require user John<br />
- <RequireAll><br />
+ <SatisfyAll><br />
Require Group admins<br />
Require ldap-group cn=mygroup,o=foo<br />
- <RequireOne><br />
+ <SatisfyOne><br />
Require ldap-attribute dept="sales"<br />
Require file-group<br />
- </RequireOne><br />
- </RequireAll><br />
+ </SatisfyOne><br />
+ </SatisfyAll><br />
</Directory><br />
</example>
@@ -192,25 +192,25 @@
</directivesynopsis>
<directivesynopsis type="section">
-<name>RequireOne</name>
+<name>SatisfyOne</name>
<description>Enclose a group of authorization directives that must
satisfy at least one in order to grant access to a resource. This
block allows for 'OR' logic to be applied to various authorization
providers.</description>
-<syntax><RequireOne>
-... </RequireOne></syntax>
+<syntax><SatisfyOne>
+... </SatisfyOne></syntax>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>
<usage>
- <p><directive type="section">RequireOne</directive> and
- <code></RequireOne></code> are used to enclose a group of
+ <p><directive type="section">SatisfyOne</directive> and
+ <code></SatisfyOne></code> are used to enclose a group of
authorization directives that must satisfy at least one in order to
grant access to a resource.</p>
<p>See the <directive module="mod_authz_core">
- <RequireAll></directive> directive for a usage example.</p>
+ <SatisfyAll></directive> directive for a usage example.</p>
</usage>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_dbd.xml Wed Jan 11 06:30:28 2006
@@ -38,7 +38,6 @@
</summary>
<seealso><directive module="core">Require</directive></seealso>
-<seealso><directive module="core">Satisfy</directive></seealso>
<seealso><directive module="mod_dbd">DBDriver</directive></seealso>
<seealso><directive module="mod_dbd">DBDParams</directive></seealso>
@@ -179,42 +178,6 @@
the <code>Referer</code> HTTP request header, if present.
When there is no <code>Referer</code> header,
<code>AuthzDBDLoginToReferer On</code> will be ignored.</p>
-</usage>
-</directivesynopsis>
-
-<directivesynopsis>
-<name>AuthzDBDAuthoritative</name>
-<description>Sets whether authorization will be passed on to lower level
-modules</description>
-<syntax>AuthzDBDAuthoritative On|Off</syntax>
-<default>AuthzDBDAuthoritative On</default>
-<contextlist><context>directory</context></contextlist>
-
-<usage>
- <p>Setting the <directive>AuthzDBDAuthoritative</directive>
- directive explicitly to <code>Off</code> allows group authorization
- to be handled by another authz module if the userID is not
- in any authorized dbd-group. If there are any groups
- specified, the usual checks will be applied and a failure will
- give an Authentication Required reply.</p>
-
- <p>So if a userID appears in the database of more than one module;
- or if a valid <directive module="core">Require</directive>
- directive applies to more than one module; then the first module
- will verify the credentials; and no access is passed on;
- regardless of the <directive>AuthAuthoritative</directive> setting.</p>
-
- <p>A common use for this is in conjunction with one of the
- auth providers; such or
- <module>mod_authn_file</module>. Whereas this DBD module supplies
- the bulk of the user credential checking; a few (administrator) related
- accesses fall through to a lower level with a well protected
- <code>.htpasswd</code> file.</p>
-
- <p>By default, control is not passed on and an unknown group
- will result in an Authentication Required reply. Not
- setting it thus keeps the system secure and forces an NCSA
- compliant behaviour.</p>
</usage>
</directivesynopsis>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_dbm.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_authz_dbm.xml?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_dbm.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_dbm.xml Wed Jan 11 06:30:28 2006
@@ -37,7 +37,6 @@
</summary>
<seealso><directive module="core">Require</directive></seealso>
-<seealso><directive module="core">Satisfy</directive></seealso>
<directivesynopsis>
<name>AuthDBMGroupFile</name>
@@ -116,53 +115,6 @@
<p>It is crucial that whatever program you use to create your group
files is configured to use the same type of database.</p>
-</usage>
-</directivesynopsis>
-
-<directivesynopsis>
-<name>AuthzDBMAuthoritative</name>
-<description>Sets whether authorization will be passed on to lower level
-modules</description>
-<syntax>AuthzDBMAuthoritative On|Off</syntax>
-<default>AuthzDBMAuthoritative On</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>Setting the <directive>AuthzDBMAuthoritative</directive>
- directive explicitly to <code>Off</code> allows group authorization
- to be passed on to lower level modules (as defined in the
- <code>modules.c</code> file) if there is no group found
- for the the supplied userID. If there are any groups
- specified, the usual checks will be applied and a failure will
- give an Authentication Required reply.</p>
-
- <p>So if a userID appears in the database of more than one module;
- or if a valid <directive module="core">Require</directive>
- directive applies to more than one module; then the first module
- will verify the credentials; and no access is passed on;
- regardless of the <directive>AuthAuthoritative</directive> setting.</p>
-
- <p>A common use for this is in conjunction with one of the
- auth providers; such as <module>mod_authn_dbm</module> or
- <module>mod_authn_file</module>. Whereas this DBM module supplies
- the bulk of the user credential checking; a few (administrator) related
- accesses fall through to a lower level with a well protected
- <code>.htpasswd</code> file.</p>
-
- <p>By default, control is not passed on and an unknown group
- will result in an Authentication Required reply. Not
- setting it thus keeps the system secure and forces an NCSA
- compliant behaviour.</p>
-
- <note type="warning"><title>Security</title>
- <p>Do consider the implications of allowing a user to
- allow fall-through in his .htaccess file; and verify that this
- is really what you want; Generally it is easier to just secure
- a single <code>.htpasswd</code> file, than it is to secure a
- database which might have more access interfaces.</p>
- </note>
</usage>
</directivesynopsis>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_groupfile.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_authz_groupfile.xml?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_groupfile.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_groupfile.xml Wed Jan 11 06:30:28 2006
@@ -37,7 +37,6 @@
</summary>
<seealso><directive module="core">Require</directive></seealso>
-<seealso><directive module="core">Satisfy</directive></seealso>
<directivesynopsis>
<name>AuthGroupFile</name>
@@ -71,38 +70,6 @@
stored outside the document tree of the web-server; do <em>not</em>
put it in the directory that it protects. Otherwise, clients may
be able to download the <directive>AuthGroupFile</directive>.</p>
- </note>
-</usage>
-</directivesynopsis>
-
-<directivesynopsis>
-<name>AuthzGroupFileAuthoritative</name>
-<description>Sets whether authorization will be passed on to lower level
-modules</description>
-<syntax>AuthzGroupFileAuthoritative On|Off</syntax>
-<default>AuthzGroupFileAuthoritative On</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>Setting the <directive>AuthzGroupFileAuthoritative</directive>
- directive explicitly to <code>Off</code> allows for
- group authorization to be passed on to lower level modules (as defined
- in the <code>modules.c</code> files) if there is <strong>no
- group</strong> matching the supplied userID.</p>
-
- <p>By default, control is not passed on and an unknown group
- will result in an Authentication Required reply. Not
- setting it thus keeps the system secure and forces an NCSA
- compliant behaviour.</p>
-
- <note type="warning"><title>Security</title>
- <p>Do consider the implications of allowing a user to
- allow fall-through in his <code>.htaccess</code> file; and verify
- that this is really what you want; Generally it is easier to just
- secure a single <code>.htpasswd</code> file, than it is to secure
- a database which might have more access interfaces.</p>
</note>
</usage>
</directivesynopsis>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_host.xml Wed Jan 11 06:30:28 2006
@@ -28,31 +28,21 @@
<status>Base</status>
<sourcefile>mod_authz_host.c</sourcefile>
<identifier>authz_host_module</identifier>
-<compatibility>Available in Apache 2.1 and later</compatibility>
+<compatibility>Available in Apache 2.3 and later</compatibility>
<summary>
- <p>The directives provided by <module>mod_authz_host</module> are
- used in <directive module="core" type="section">Directory</directive>,
- <directive module="core" type="section">Files</directive>, and
- <directive module="core" type="section">Location</directive> sections
+ <p>The authorization providers implemented by <module>mod_authz_host</module> are
+ registered using the <directive module="mod_authz_core">Require</directive> or
+ <directive module="mod_authz_core">Reject</directive> directives. These
+ directives can be referenced within a
+ <directive module="core" type="section">Directory</directive>,
+ <directive module="core" type="section">Files</directive>,
+ or <directive module="core" type="section">Location</directive> section
as well as <code><a href="core.html#accessfilename">.htaccess</a>
</code> files to control access to particular parts of the server.
Access can be controlled based on the client hostname, IP address, or
other characteristics of the client request, as captured in <a
- href="../env.html">environment variables</a>. The <directive
- module="mod_authz_host">Allow</directive> and <directive
- module="mod_authz_host">Deny</directive> directives are used to
- specify which clients are or are not allowed access to the server,
- while the <directive module="mod_authz_host">Order</directive>
- directive sets the default access state, and configures how the
- <directive module="mod_authz_host">Allow</directive> and <directive
- module="mod_authz_host">Deny</directive> directives interact with each
- other.</p>
-
- <p>Both host-based access restrictions and password-based
- authentication may be implemented simultaneously. In that case,
- the <directive module="core">Satisfy</directive> directive is used
- to determine how the two sets of restrictions interact.</p>
+ href="../env.html">environment variables</a>.</p>
<p>In general, access restriction directives apply to all
access methods (<code>GET</code>, <code>PUT</code>,
@@ -62,111 +52,33 @@
in a <directive module="core" type="section">Limit</directive> section.</p>
</summary>
-<seealso><directive module="core">Satisfy</directive></seealso>
-<seealso><directive module="core">Require</directive></seealso>
+<seealso><a href="../howto/auth.html">Authentication, Authorization,
+ and Access Control</a></seealso>
+<seealso><directive module="mod_authz_core">Require</directive></seealso>
+<seealso><directive module="mod_authz_core">Reject</directive></seealso>
+
+<section id="requiredirectives"><title>The require Directives</title>
+
+ <p>Apache's <directive module="mod_authz_core">Require</directive> and
+ <directive module="mod_authz_core">Reject</directive> directives are
+ used during the authorization phase to ensure that a user is allowed or
+ denied access to a resource. mod_authz_host extends the
+ authorization types with <code>env</code>, <code>ip</code>,
+ <code>host</code> and <code>all</code>. Other authorization types may also be
+ used but may require that additional authorization modules be loaded.</p>
-<directivesynopsis>
-<name>Allow</name>
-<description>Controls which hosts can access an area of the
-server</description>
-<syntax> Allow from all|<var>host</var>|env=<var>env-variable</var>
-[<var>host</var>|env=<var>env-variable</var>] ...</syntax>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>Limit</override>
-
-<usage>
- <p>The <directive>Allow</directive> directive affects which hosts can
+ <p>These authorization providers affect which hosts can
access an area of the server. Access can be controlled by
hostname, IP Address, IP Address range, or by other
characteristics of the client request captured in environment
variables.</p>
- <p>The first argument to this directive is always
- <code>from</code>. The subsequent arguments can take three
- different forms. If <code>Allow from all</code> is specified, then
- all hosts are allowed access, subject to the configuration of the
- <directive module="mod_authz_host">Deny</directive> and <directive
- module="mod_authz_host">Order</directive> directives as discussed
- below. To allow only particular hosts or groups of hosts to access
- the server, the <em>host</em> can be specified in any of the
- following formats:</p>
-
- <dl>
- <dt>A (partial) domain-name</dt>
-
- <dd>
- <example><title>Example:</title>
- Allow from apache.org<br />
- Allow from .net example.edu
- </example>
- <p>Hosts whose names match, or end in, this string are allowed
- access. Only complete components are matched, so the above
- example will match <code>foo.apache.org</code> but it will not
- match <code>fooapache.org</code>. This configuration will cause
- Apache to perform a double reverse DNS lookup on the client IP
- address, regardless of the setting of the <directive
- module="core">HostnameLookups</directive> directive. It will do
- a reverse DNS lookup on the IP address to find the associated
- hostname, and then do a forward lookup on the hostname to assure
- that it matches the original IP address. Only if the forward
- and reverse DNS are consistent and the hostname matches will
- access be allowed.</p></dd>
-
- <dt>A full IP address</dt>
-
- <dd>
- <example><title>Example:</title>
- Allow from 10.1.2.3<br />
- Allow from 192.168.1.104 192.168.1.205
- </example>
- <p>An IP address of a host allowed access</p></dd>
-
- <dt>A partial IP address</dt>
-
- <dd>
- <example><title>Example:</title>
- Allow from 10.1<br />
- Allow from 10 172.20 192.168.2
- </example>
- <p>The first 1 to 3 bytes of an IP address, for subnet
- restriction.</p></dd>
-
- <dt>A network/netmask pair</dt>
-
- <dd>
- <example><title>Example:</title>
- Allow from 10.1.0.0/255.255.0.0
- </example>
- <p>A network a.b.c.d, and a netmask w.x.y.z. For more
- fine-grained subnet restriction.</p></dd>
-
- <dt>A network/nnn CIDR specification</dt>
-
- <dd>
- <example><title>Example:</title>
- Allow from 10.1.0.0/16
- </example>
- <p>Similar to the previous case, except the netmask consists of
- nnn high-order 1 bits.</p></dd>
- </dl>
-
- <p>Note that the last three examples above match exactly the
- same set of hosts.</p>
-
- <p>IPv6 addresses and IPv6 subnets can be specified as shown
- below:</p>
-
- <example>
- Allow from 2001:db8::a00:20ff:fea7:ccea<br />
- Allow from 2001:db8::a00:20ff:fea7:ccea/10
- </example>
+<section id="reqenv"><title>require env</title>
- <p>The third format of the arguments to the
- <directive>Allow</directive> directive allows access to the server
+ <p>The <code>env</code> provider allows access to the server
to be controlled based on the existence of an <a
- href="../env.html">environment variable</a>. When <code>Allow from
- env=<var>env-variable</var></code> is specified, then the request is
+ href="../env.html">environment variable</a>. When <code>Require
+ env <var>env-variable</var></code> is specified, then the request is
allowed access if the environment variable <var>env-variable</var>
exists. The server provides the ability to set environment
variables in a flexible way based on characteristics of the client
@@ -175,162 +87,126 @@
used to allow access based on such factors as the clients
<code>User-Agent</code> (browser type), <code>Referer</code>, or
other HTTP request header fields.</p>
-
+
<example><title>Example:</title>
SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in<br />
<Directory /docroot><br />
<indent>
- Order Deny,Allow<br />
- Deny from all<br />
- Allow from env=let_me_in<br />
+ Require env let_me_in<br />
</indent>
</Directory>
</example>
-
+
<p>In this case, browsers with a user-agent string beginning
with <code>KnockKnock/2.0</code> will be allowed access, and all
others will be denied.</p>
-</usage>
-</directivesynopsis>
-<directivesynopsis>
-<name>Deny</name>
-<description>Controls which hosts are denied access to the
-server</description>
-<syntax> Deny from all|<var>host</var>|env=<var>env-variable</var>
-[<var>host</var>|env=<var>env-variable</var>] ...</syntax>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>Limit</override>
-
-<usage>
- <p>This directive allows access to the server to be restricted
- based on hostname, IP address, or environment variables. The
- arguments for the <directive>Deny</directive> directive are
- identical to the arguments for the <directive
- module="mod_authz_host">Allow</directive> directive.</p>
-</usage>
-</directivesynopsis>
-
-<directivesynopsis>
-<name>Order</name>
-<description>Controls the default access state and the order in which
-<directive>Allow</directive> and <directive>Deny</directive> are
-evaluated.</description>
-<syntax> Order <var>ordering</var></syntax>
-<default>Order Deny,Allow</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>Limit</override>
-
-<usage>
- <p>The <directive>Order</directive> directive controls the default
- access state and the order in which <directive
- module="mod_authz_host">Allow</directive> and <directive
- module="mod_authz_host">Deny</directive> directives are evaluated.
- <var>Ordering</var> is one of</p>
-
- <dl>
- <dt><code>Deny,Allow</code></dt>
-
- <dd>The <directive module="mod_authz_host">Deny</directive> directives
- are evaluated before the <directive
- module="mod_authz_host">Allow</directive> directives. Access is
- allowed by default. Any client which does not match a
- <directive module="mod_authz_host">Deny</directive> directive or does
- match an <directive module="mod_authz_host">Allow</directive>
- directive will be allowed access to the server.</dd>
-
- <dt><code>Allow,Deny</code></dt>
-
- <dd>The <directive module="mod_authz_host">Allow</directive>
- directives are evaluated before the <directive
- module="mod_authz_host">Deny</directive> directives. Access is denied
- by default. Any client which does not match an <directive
- module="mod_authz_host">Allow</directive> directive or does match a
- <directive module="mod_authz_host">Deny</directive> directive will be
- denied access to the server.</dd>
-
- <dt><code>Mutual-failure</code></dt>
-
- <dd>Only those hosts which appear on the <directive
- module="mod_authz_host">Allow</directive> list and do not appear on
- the <directive module="mod_authz_host">Deny</directive> list are
- granted access. This ordering has the same effect as <code>Order
- Allow,Deny</code> and is deprecated in favor of that
- configuration.</dd>
- </dl>
-
- <p>Keywords may only be separated by a comma; <em>no whitespace</em> is
- allowed between them. Note that in all cases every <directive
- module="mod_authz_host">Allow</directive> and <directive
- module="mod_authz_host">Deny</directive> statement is evaluated.</p>
+</section>
+
+<section id="reqip"><title>require ip</title>
- <p>In the following example, all hosts in the apache.org domain
- are allowed access; all other hosts are denied access.</p>
+ <p>The <code>ip</code> provider allows access to the server
+ to be controlled based on the IP address of the remote client.
+ When <code>Require ip <var>ip-address</var></code> is specified,
+ then the request is allowed access if the IP address matches.</p>
+ <p>A full IP address:</p>
+
<example>
- Order Deny,Allow<br />
- Deny from all<br />
- Allow from apache.org
+ Require ip 10.1.2.3<br />
+ Require ip 192.168.1.104 192.168.1.205
</example>
- <p>In the next example, all hosts in the apache.org domain are
- allowed access, except for the hosts which are in the
- foo.apache.org subdomain, who are denied access. All hosts not
- in the apache.org domain are denied access because the default
- state is to deny access to the server.</p>
+ <p>An IP address of a host allowed access</p>
+
+ <p>A partial IP address:</p>
+
+ <example>
+ Require ip 10.1<br />
+ Require ip 10 172.20 192.168.2
+ </example>
+ <p>The first 1 to 3 bytes of an IP address, for subnet
+ restriction.</p>
+
+ <p>A network/netmask pair:</p>
+
+ <example>
+ Require ip 10.1.0.0/255.255.0.0
+ </example>
+ <p>A network a.b.c.d, and a netmask w.x.y.z. For more
+ fine-grained subnet restriction.</p>
+
+ <p>A network/nnn CIDR specification:</p>
+
+ <example>
+ Require ip 10.1.0.0/16
+ </example>
+ <p>Similar to the previous case, except the netmask consists of
+ nnn high-order 1 bits.</p>
+
+ <p>Note that the last three examples above match exactly the
+ same set of hosts.</p>
+
+ <p>IPv6 addresses and IPv6 subnets can be specified as shown
+ below:</p>
+
+ <example>
+ Require ip 2001:db8::a00:20ff:fea7:ccea<br />
+ Require ip 2001:db8::a00:20ff:fea7:ccea/10
+ </example>
+
+
+</section>
+
+<section id="reqhost"><title>require host</title>
+ <p>The <code>host</code> provider allows access to the server
+ to be controlled based on the host name of the remote client.
+ When <code>Require host <var>host-name</var></code> is specified,
+ then the request is allowed access if the host name matches.</p>
+
+ <p>A (partial) domain-name</p>
+
<example>
- Order Allow,Deny<br />
- Allow from apache.org<br />
- Deny from foo.apache.org
+ Require host apache.org<br />
+ Require host .net example.edu
</example>
+
+ <p>Hosts whose names match, or end in, this string are allowed
+ access. Only complete components are matched, so the above
+ example will match <code>foo.apache.org</code> but it will not
+ match <code>fooapache.org</code>. This configuration will cause
+ Apache to perform a double reverse DNS lookup on the client IP
+ address, regardless of the setting of the <directive
+ module="core">HostnameLookups</directive> directive. It will do
+ a reverse DNS lookup on the IP address to find the associated
+ hostname, and then do a forward lookup on the hostname to assure
+ that it matches the original IP address. Only if the forward
+ and reverse DNS are consistent and the hostname matches will
+ access be allowed.</p>
+
+</section>
+
+<section id="reqall"><title>require all</title>
+
+ <p>The <code>all</code> provider mimics the functionality the
+ was previously provided by the 'Allow from all' and 'Deny from all'
+ directives. This provider can take one of two arguments which are
+ 'granted' or 'denied'. The following examples will grant or deny
+ access to all requests.</p>
- <p>On the other hand, if the <directive>Order</directive> in the last
- example is changed to <code>Deny,Allow</code>, all hosts will
- be allowed access. This happens because, regardless of the
- actual ordering of the directives in the configuration file,
- the <code>Allow from apache.org</code> will be evaluated last
- and will override the <code>Deny from foo.apache.org</code>.
- All hosts not in the <code>apache.org</code> domain will also
- be allowed access because the default state will change to
- <em>allow</em>.</p>
-
- <p>The presence of an <directive>Order</directive> directive can affect
- access to a part of the server even in the absence of accompanying
- <directive module="mod_authz_host">Allow</directive> and <directive
- module="mod_authz_host">Deny</directive> directives because of its effect
- on the default access state. For example,</p>
+ <example>
+ Require all granted<br />
+ </example>
<example>
- <Directory /www><br />
- <indent>
- Order Allow,Deny<br />
- </indent>
- </Directory>
+ Require all denied<br />
</example>
- <p>will deny all access to the <code>/www</code> directory
- because the default access state will be set to
- <em>deny</em>.</p>
-
- <p>The <directive>Order</directive> directive controls the order of access
- directive processing only within each phase of the server's
- configuration processing. This implies, for example, that an
- <directive module="mod_authz_host">Allow</directive> or <directive
- module="mod_authz_host">Deny</directive> directive occurring in a
- <directive module="core" type="section">Location</directive> section will
- always be evaluated after an <directive
- module="mod_authz_host">Allow</directive> or <directive
- module="mod_authz_host">Deny</directive> directive occurring in a
- <directive module="core" type="section">Directory</directive> section or
- <code>.htaccess</code> file, regardless of the setting of the
- <directive>Order</directive> directive. For details on the merging
- of configuration sections, see the documentation on <a
- href="../sections.html">How Directory, Location and Files sections
- work</a>.</p>
-</usage>
-</directivesynopsis>
+</section>
+
+
+</section>
+
</modulesynopsis>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_owner.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_authz_owner.xml?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_owner.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_owner.xml Wed Jan 11 06:30:28 2006
@@ -70,7 +70,6 @@
</note>
</summary>
<seealso><directive module="core">Require</directive></seealso>
-<seealso><directive module="core">Satisfy</directive></seealso>
<section id="examples"><title>Configuration Examples</title>
@@ -93,7 +92,6 @@
AuthName MyPrivateFiles<br />
AuthBasicProvider dbm<br />
AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all<br />
- Satisfy All<br />
Require file-owner<br />
</indent>
</Directory>
@@ -131,40 +129,5 @@
</example>
</section>
</section>
-
-<directivesynopsis>
-<name>AuthzOwnerAuthoritative</name>
-<description>Sets whether authorization will be passed on to lower level
-modules</description>
-<syntax>AuthzOwnerAuthoritative On|Off</syntax>
-<default>AuthzOwnerAuthoritative On</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>Setting the <directive>AuthzOwnerAuthoritative</directive>
- directive explicitly to <code>Off</code> allows for
- user authorization to be passed on to lower level modules (as defined
- in the <code>modules.c</code> files) if:</p>
-
- <ul>
- <li>in the case of <code>file-owner</code> the file-system owner does not
- match the supplied web-username or could not be determined, or</li>
-
- <li>in the case of <code>file-group</code> the file-system group does not
- contain the supplied web-username or could not be determined.</li>
- </ul>
-
- <p>Note that setting the value to <code>Off</code> also allows the
- combination of <code>file-owner</code> and <code>file-group</code>, so
- access will be allowed if either one or the other (or both) match.</p>
-
- <p>By default, control is not passed on and an authorization failure
- will result in an "Authentication Required" reply. Not
- setting it to <code>Off</code> thus keeps the system secure and forces
- an NCSA compliant behaviour.</p>
-</usage>
-</directivesynopsis>
</modulesynopsis>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_user.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_authz_user.xml?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_user.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_user.xml Wed Jan 11 06:30:28 2006
@@ -38,30 +38,5 @@
grant access to all successfully authenticated users.</p>
</summary>
<seealso><directive module="core">Require</directive></seealso>
-<seealso><directive module="core">Satisfy</directive></seealso>
-
-<directivesynopsis>
-<name>AuthzUserAuthoritative</name>
-<description>Sets whether authorization will be passed on to lower level
-modules</description>
-<syntax>AuthzUserAuthoritative On|Off</syntax>
-<default>AuthzUserAuthoritative On</default>
-<contextlist><context>directory</context><context>.htaccess</context>
-</contextlist>
-<override>AuthConfig</override>
-
-<usage>
- <p>Setting the <directive>AuthzUserAuthoritative</directive>
- directive explicitly to <code>Off</code> allows for
- user authorization to be passed on to lower level modules (as defined
- in the <code>modules.c</code> files) if there is <strong>no
- user</strong> matching the supplied userID.</p>
-
- <p>By default, control is not passed on and an unknown user
- will result in an Authentication Required reply. Not
- setting it to <code>Off</code> thus keeps the system secure and forces
- an NCSA compliant behaviour.</p>
-</usage>
-</directivesynopsis>
</modulesynopsis>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ldap.xml Wed Jan 11 06:30:28 2006
@@ -81,7 +81,6 @@
Allow from yourdomain.example.com<br />
AuthLDAPEnabled on<br />
AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one<br />
- AuthLDAPAuthoritative on<br />
require valid-user<br />
</indent>
</Location>
@@ -212,7 +211,6 @@
Allow from yourdomain.example.com<br />
AuthLDAPEnabled on<br />
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
- AuthLDAPAuthoritative on<br />
require valid-user<br />
</indent>
</Location>
@@ -234,7 +232,6 @@
AuthLDAPEnabled on<br />
LDAPTrustedMode TLS
AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one<br />
- AuthLDAPAuthoritative on<br />
require valid-user<br />
</indent>
</Location>
@@ -287,7 +284,6 @@
AuthLDAPEnabled on<br />
LDAPTrustedClientCert CERT_NICKNAME <nickname> [password]<br />
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
- AuthLDAPAuthoritative on<br />
require valid-user<br />
</indent>
</Location>
@@ -355,7 +351,6 @@
LDAPTrustedClientCert CERT_BASE64 /certs/cert1.pem<br />
LDAPTrustedClientCert KEY_BASE64 /certs/key1.pem<br />
AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br />
- AuthLDAPAuthoritative on<br />
require valid-user<br />
</indent>
</Location>
Modified: httpd/httpd/trunk/include/ap_mmn.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/include/ap_mmn.h?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/include/ap_mmn.h (original)
+++ httpd/httpd/trunk/include/ap_mmn.h Wed Jan 11 06:30:28 2006
@@ -111,12 +111,15 @@
* 20051115.0 (2.3.0-dev) Added use_canonical_phys_port to core_dir_config
* 20051231.0 (2.3.0-dev) Added num_blank_lines, pending_header_line, and
* pending_header_size to request_rec
+ * 20060110.0 (2.3.0-dev) Conversion of Authz to be provider based
+ addition of <SatisfyAll><SatisfyOne>
+ removal of Satisfy, Allow, Deny, Order
*/
#define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
#ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20051231
+#define MODULE_MAGIC_NUMBER_MAJOR 20060110
#endif
#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */
Modified: httpd/httpd/trunk/include/http_core.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/include/http_core.h?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/include/http_core.h (original)
+++ httpd/httpd/trunk/include/http_core.h Wed Jan 11 06:30:28 2006
@@ -114,13 +114,6 @@
/** @} // get_remote_host */
-/** all of the requirements must be met */
-#define SATISFY_ALL 0
-/** any of the requirements must be met */
-#define SATISFY_ANY 1
-/** There are no applicable satisfy lines */
-#define SATISFY_NOSPEC 2
-
/** Make sure we don't write less than 8000 bytes at any one time.
*/
#define AP_MIN_BYTES_TO_WRITE 8000
@@ -294,25 +287,6 @@
*/
AP_DECLARE(const char *) ap_auth_name(request_rec *r);
-/**
- * How the requires lines must be met.
- * @param r The current request
- * @return How the requirements must be met. One of:
- * <pre>
- * SATISFY_ANY -- any of the requirements must be met.
- * SATISFY_ALL -- all of the requirements must be met.
- * SATISFY_NOSPEC -- There are no applicable satisfy lines
- * </pre>
- */
-AP_DECLARE(int) ap_satisfies(request_rec *r);
-
-/**
- * Retrieve information about all of the requires directives for this request
- * @param r The current request
- * @return An array of all requires directives for this request
- */
-AP_DECLARE(const apr_array_header_t *) ap_requires(request_rec *r);
-
#ifdef CORE_PRIVATE
/**
@@ -451,13 +425,6 @@
char *ap_default_type;
- /* Authentication stuff. Groan... */
-
- int *satisfy; /* for every method one */
- char *ap_auth_type;
- char *ap_auth_name;
- apr_array_header_t *ap_requires;
-
/* Custom response config. These can contain text or a URL to redirect to.
* if response_code_strings is NULL then there are none in the config,
* if it's not null then it's allocated to sizeof(char*)*RESPONSE_CODES.
@@ -679,6 +646,15 @@
APR_DECLARE_OPTIONAL_FN(const char *, ap_ident_lookup,
(request_rec *r));
+
+/* ----------------------------------------------------------------------
+ *
+ * authorization values with mod_authz_host
+ */
+
+APR_DECLARE_OPTIONAL_FN(int, authz_some_auth_required, (request_rec *r));
+APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_type, (request_rec *r));
+APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_name, (request_rec *r));
/* ---------------------------------------------------------------------- */
Modified: httpd/httpd/trunk/modules/aaa/NWGNUmakefile
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/NWGNUmakefile?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/NWGNUmakefile (original)
+++ httpd/httpd/trunk/modules/aaa/NWGNUmakefile Wed Jan 11 06:30:28 2006
@@ -156,10 +156,12 @@
$(OBJDIR)/authdigt.nlm \
$(OBJDIR)/authnano.nlm \
$(OBJDIR)/authnalias.nlm \
+ $(OBJDIR)/authncore.nlm \
$(OBJDIR)/authndbm.nlm \
$(OBJDIR)/authndef.nlm \
$(OBJDIR)/authnfil.nlm \
$(OBJDIR)/authndbd.nlm \
+ $(OBJDIR)/authzcore.nlm \
$(OBJDIR)/authzdbm.nlm \
$(OBJDIR)/authzdef.nlm \
$(OBJDIR)/authzgrp.nlm \
Modified: httpd/httpd/trunk/modules/aaa/config.m4
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/config.m4?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/config.m4 (original)
+++ httpd/httpd/trunk/modules/aaa/config.m4 Wed Jan 11 06:30:28 2006
@@ -18,8 +18,10 @@
dnl keep the bad guys out.
APACHE_MODULE(authn_default, authentication backstopper, , , yes)
-dnl Provider alias module.
-APACHE_MODULE(authn_alias, auth provider alias, , , no)
+dnl General Authentication modules; module which implements the
+dnl non-authn module specific directives.
+dnl
+APACHE_MODULE(authn_core, core authentication module, , , yes)
dnl Authorization modules: modules which verify a certain property such as
dnl membership of a group, value of the IP address against a list of pre
@@ -32,6 +34,11 @@
APACHE_MODULE(authz_dbm, DBM-based authorization control, , , most)
APACHE_MODULE(authz_owner, 'require file-owner' authorization control, , , most)
APACHE_MODULE(authz_dbd, SQL based authorization and Login/Session support, , , most)
+
+dnl General Authorization modules; provider module which implements the
+dnl non-authz module specific directives.
+dnl
+APACHE_MODULE(authz_core, core authorization provider vector module, , , yes)
dnl LDAP authentication module. This module has both the authn and authz
dnl modules in one, so as to share the LDAP server config directives.
Modified: httpd/httpd/trunk/modules/aaa/mod_auth.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_auth.h?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_auth.h (original)
+++ httpd/httpd/trunk/modules/aaa/mod_auth.h Wed Jan 11 06:30:28 2006
@@ -16,7 +16,7 @@
/**
* @file mod_auth.h
- * @brief uthentication Extension Module for Apache
+ * @brief Authentication and Authorization Extension for Apache
*
* @defgroup MOD_AUTH mod_auth
* @ingroup APACHE_MODS
@@ -35,10 +35,13 @@
#endif
#define AUTHN_PROVIDER_GROUP "authn"
+#define AUTHZ_PROVIDER_GROUP "authz"
#define AUTHN_DEFAULT_PROVIDER "file"
-
+#define AUTHZ_DEFAULT_PROVIDER "default"
+
#define AUTHZ_GROUP_NOTE "authz_group_note"
#define AUTHN_PROVIDER_NAME_NOTE "authn_provider_name"
+#define AUTHZ_PROVIDER_NAME_NOTE "authz_provider_name"
typedef enum {
AUTH_DENIED,
@@ -48,12 +51,23 @@
AUTH_GENERAL_ERROR
} authn_status;
+typedef enum {
+ AUTHZ_DENIED,
+ AUTHZ_GRANTED,
+ AUTHZ_GENERAL_ERROR
+} authz_status;
+
+typedef enum {
+ AUTHZ_REQSTATE_ONE,
+ AUTHZ_REQSTATE_ALL
+} authz_request_state;
+
typedef struct {
/* Given a username and password, expected to return AUTH_GRANTED
* if we can validate this user/password combination.
*/
authn_status (*check_password)(request_rec *r, const char *user,
- const char *password);
+ const char *password);
/* Given a user and realm, expected to return AUTH_USER_FOUND if we
* can find a md5 hash of 'user:realm:password'
@@ -72,9 +86,29 @@
};
typedef struct {
- /* For a given user, return a hash of all groups the user belongs to. */
- apr_hash_t * (*get_user_groups)(request_rec *r, const char *user);
+ /* Given a request_rec, expected to return AUTH_GRANTED
+ * if we can authorize user access.
+ */
+ authz_status (*check_authorization)(request_rec *r,
+ const char *require_line);
} authz_provider;
+
+/* A linked-list of authn providers. */
+typedef struct authz_provider_list authz_provider_list;
+
+struct authz_provider_list {
+ const char *provider_name;
+ const authz_provider *provider;
+ authz_provider_list *one_next;
+ authz_provider_list *all_next;
+ /** If a Limit method is in effect, this field will be set */
+ apr_int64_t method_mask;
+ authz_request_state req_state;
+ int req_state_level;
+ /** String following 'require <provider>' from config file */
+ char *requirement;
+ int is_reject;
+};
#ifdef __cplusplus
}
Modified: httpd/httpd/trunk/modules/aaa/mod_auth_basic.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_auth_basic.c?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_auth_basic.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_auth_basic.c Wed Jan 11 06:30:28 2006
@@ -195,7 +195,7 @@
return HTTP_INTERNAL_SERVER_ERROR;
}
- r->ap_auth_type = "Basic";
+ r->ap_auth_type = (char*)current_auth;
res = get_basic_auth(r, &sent_user, &sent_pw);
if (res) {
Copied: httpd/httpd/trunk/modules/aaa/mod_authn_core.c (from r360213, httpd/httpd/branches/authz-dev/modules/aaa/mod_authn_core.c)
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authn_core.c?p2=httpd/httpd/trunk/modules/aaa/mod_authn_core.c&p1=httpd/httpd/branches/authz-dev/modules/aaa/mod_authn_core.c&r1=360213&r2=368027&rev=368027&view=diff
==============================================================================
--- httpd/httpd/branches/authz-dev/modules/aaa/mod_authn_core.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authn_core.c Wed Jan 11 06:30:28 2006
@@ -27,13 +27,15 @@
#define APR_WANT_BYTEFUNC
#include "apr_want.h"
+#define CORE_PRIVATE
#include "ap_config.h"
#include "httpd.h"
-#include "http_core.h"
#include "http_config.h"
+#include "http_core.h"
#include "http_log.h"
#include "http_request.h"
#include "http_protocol.h"
+#include "ap_provider.h"
#include "mod_auth.h"
@@ -55,6 +57,18 @@
char *ap_auth_name;
} authn_core_dir_conf;
+typedef struct provider_alias_rec {
+ char *provider_name;
+ char *provider_alias;
+ ap_conf_vector_t *sec_auth;
+ const authn_provider *provider;
+} provider_alias_rec;
+
+typedef struct authn_alias_srv_conf {
+ apr_hash_t *alias_rec;
+} authn_alias_srv_conf;
+
+
module AP_MODULE_DECLARE_DATA authn_core_module;
static void *create_authn_core_dir_config(apr_pool_t *p, char *dummy)
@@ -88,6 +102,153 @@
return (void*)conf;
}
+static authn_status authn_alias_check_password(request_rec *r, const char *user,
+ const char *password)
+{
+ /* Look up the provider alias in the alias list */
+ /* Get the the dir_config and call ap_Merge_per_dir_configs() */
+ /* Call the real provider->check_password() function */
+ /* return the result of the above function call */
+
+ const char *provider_name = apr_table_get(r->notes, AUTHN_PROVIDER_NAME_NOTE);
+ authn_status ret = AUTH_USER_NOT_FOUND;
+ authn_alias_srv_conf *authcfg =
+ (authn_alias_srv_conf *)ap_get_module_config(r->server->module_config,
+ &authn_core_module);
+
+ if (provider_name) {
+ provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec,
+ provider_name, APR_HASH_KEY_STRING);
+ ap_conf_vector_t *orig_dir_config = r->per_dir_config;
+
+ /* If we found the alias provider in the list, then merge the directory
+ configurations and call the real provider */
+ if (prvdraliasrec) {
+ r->per_dir_config = ap_merge_per_dir_configs(r->pool, orig_dir_config,
+ prvdraliasrec->sec_auth);
+ ret = prvdraliasrec->provider->check_password(r,user,password);
+ r->per_dir_config = orig_dir_config;
+ }
+ }
+
+ return ret;
+}
+
+static authn_status authn_alias_get_realm_hash(request_rec *r, const char *user,
+ const char *realm, char **rethash)
+{
+ /* Look up the provider alias in the alias list */
+ /* Get the the dir_config and call ap_Merge_per_dir_configs() */
+ /* Call the real provider->get_realm_hash() function */
+ /* return the result of the above function call */
+
+ const char *provider_name = apr_table_get(r->notes, AUTHN_PROVIDER_NAME_NOTE);
+ authn_status ret = AUTH_USER_NOT_FOUND;
+ authn_alias_srv_conf *authcfg =
+ (authn_alias_srv_conf *)ap_get_module_config(r->server->module_config,
+ &authn_core_module);
+
+ if (provider_name) {
+ provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec,
+ provider_name, APR_HASH_KEY_STRING);
+ ap_conf_vector_t *orig_dir_config = r->per_dir_config;
+
+ /* If we found the alias provider in the list, then merge the directory
+ configurations and call the real provider */
+ if (prvdraliasrec) {
+ r->per_dir_config = ap_merge_per_dir_configs(r->pool, orig_dir_config,
+ prvdraliasrec->sec_auth);
+ ret = prvdraliasrec->provider->get_realm_hash(r,user,realm,rethash);
+ r->per_dir_config = orig_dir_config;
+ }
+ }
+
+ return ret;
+}
+
+static void *create_authn_alias_svr_config(apr_pool_t *p, server_rec *s)
+{
+
+ authn_alias_srv_conf *authcfg;
+
+ authcfg = (authn_alias_srv_conf *) apr_pcalloc(p, sizeof(authn_alias_srv_conf));
+ authcfg->alias_rec = apr_hash_make(p);
+
+ return (void *) authcfg;
+}
+
+static const authn_provider authn_alias_provider =
+{
+ &authn_alias_check_password,
+ &authn_alias_get_realm_hash,
+};
+
+static const char *authaliassection(cmd_parms *cmd, void *mconfig, const char *arg)
+{
+ int old_overrides = cmd->override;
+ const char *endp = ap_strrchr_c(arg, '>');
+ const char *args;
+ char *provider_alias;
+ char *provider_name;
+ const char *errmsg;
+ ap_conf_vector_t *new_auth_config = ap_create_per_dir_config(cmd->pool);
+ authn_alias_srv_conf *authcfg =
+ (authn_alias_srv_conf *)ap_get_module_config(cmd->server->module_config,
+ &authn_core_module);
+
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+
+ if (endp == NULL) {
+ return apr_pstrcat(cmd->pool, cmd->cmd->name,
+ "> directive missing closing '>'", NULL);
+ }
+
+ args = apr_pstrndup(cmd->pool, arg, endp - arg);
+
+ if (!args[0]) {
+ return apr_pstrcat(cmd->pool, cmd->cmd->name,
+ "> directive requires additional arguments", NULL);
+ }
+
+ /* Pull the real provider name and the alias name from the block header */
+ provider_name = ap_getword_conf(cmd->pool, &args);
+ provider_alias = ap_getword_conf(cmd->pool, &args);
+
+ if (!provider_name[0] || !provider_alias[0]) {
+ return apr_pstrcat(cmd->pool, cmd->cmd->name,
+ "> directive requires additional arguments", NULL);
+ }
+
+ /* walk the subsection configuration to get the per_dir config that we will
+ merge just before the real provider is called. */
+ cmd->override = OR_ALL|ACCESS_CONF;
+ errmsg = ap_walk_config(cmd->directive->first_child, cmd, new_auth_config);
+
+ if (!errmsg) {
+ provider_alias_rec *prvdraliasrec = apr_pcalloc(cmd->pool, sizeof(provider_alias_rec));
+ const authn_provider *provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP, provider_name,"0");
+
+ /* Save off the new directory config along with the original provider name
+ and function pointer data */
+ prvdraliasrec->sec_auth = new_auth_config;
+ prvdraliasrec->provider_name = provider_name;
+ prvdraliasrec->provider_alias = provider_alias;
+ prvdraliasrec->provider = provider;
+ apr_hash_set(authcfg->alias_rec, provider_alias, APR_HASH_KEY_STRING, prvdraliasrec);
+
+ /* Register the fake provider so that we get called first */
+ ap_register_provider(cmd->pool, AUTHN_PROVIDER_GROUP, provider_alias, "0",
+ &authn_alias_provider);
+ }
+
+ cmd->override = old_overrides;
+
+ return errmsg;
+}
+
/*
* Load an authorisation realm into our location configuration, applying the
* usual rules that apply to realms.
@@ -129,6 +290,9 @@
"An HTTP authorization type (e.g., \"Basic\")"),
AP_INIT_TAKE1("AuthName", set_authname, NULL, OR_AUTHCFG,
"The authentication realm (e.g. \"Members Only\")"),
+ AP_INIT_RAW_ARGS("<AuthnProviderAlias", authaliassection, NULL, RSRC_CONF,
+ "Container for authentication directives grouped under "
+ "a provider alias"),
{NULL}
};
@@ -141,9 +305,9 @@
module AP_MODULE_DECLARE_DATA authn_core_module =
{
STANDARD20_MODULE_STUFF,
- create_authn_core_dir_config, /* dir config creater */
- merge_authn_core_dir_config, /* dir merger --- default is to override */
- NULL, /* server config */
+ create_authn_core_dir_config, /* dir config creater */
+ merge_authn_core_dir_config, /* dir merger --- default is to override */
+ create_authn_alias_svr_config, /* server config */
NULL, /* merge server config */
authn_cmds,
register_hooks /* register hooks */
Modified: httpd/httpd/trunk/modules/aaa/mod_authn_default.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/aaa/mod_authn_default.c?rev=368027&r1=368026&r2=368027&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authn_default.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authn_default.c Wed Jan 11 06:30:28 2006
@@ -59,8 +59,10 @@
const char *type;
+ /* if there isn't an auth_type, then assume that no authentication
+ is require so return OK */
if (!(type = ap_auth_type(r))) {
- return DECLINED;
+ return OK;
}
/* fill in the r->user field */