You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Stefan Fritsch <sf...@sfritsch.de> on 2010/07/06 00:58:27 UTC

authorization by user or IP, 2nd try

Hi,

in order to allow authorization by user _or_ IP using a <RequireAny> 
block, r956387 tries to continue with authorization (the auth_checker 
hook) even if authentication (the check_user_id hook) failed.  This 
has two problems:

- If authorization succeeds because of IP, one would need to undo the 
effects of note_*_auth_failure, which has been called by the failed 
authentication function.  In the case of basic auth, this means 
removing the WWW-Authenticate header, but for more complex auth types, 
this can be more complex.

- With more complex auth types, creating the WWW-Authenticate header 
can involve expensive crypto operations. This is a waste if we allow 
the access without authentication anyway.

Therefore I had the idea to introduce a new hook between the 
access_checker and the check_user_id hooks. Differently from 
access_checker, this would be a RUN_FIRST hook and a result of OK 
would mean 'immediately grant access'. DECLINED would mean 'go on with 
authentication' and other values would mean denied.  mod_authz_core 
could then use this hook to grant or deny access if the result of 
authorization does not depend on the user name. In order to know
that, any authz provider that does authorization by user would have to 
return a special return code AUTHZ_DENIED_NO_USER if r->user == NULL. 
(Or there could be a flag in the authz_provider struct).

I have an (incomplete) patch at
http://people.apache.org/~sf/access_checker_authoritative.diff

Does this make sense?  If yes, what would be a good name for the new 
hook? access_checker_authoritative, access_checker_ex, 
auth_checker_userless, ...?

mod_access_compat could also use the new hook to implement Satisfy 
all/any without having the logic in the core. Would it make sense to 
remove the ap_satisfies() API from the core? I believe not. For 
example mod_ssl still uses the access_checker hook and is therefore 
influenced by satisfy all/any.

Cheers,
Stefan


PS: I don't think we have enough automated tests for all the new 
auth/authz/authn modules. If anybody cares about a particular module 
and has some time, please write tests.