You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bn...@apache.org on 2005/12/06 07:07:10 UTC
svn commit: r354331 - in /httpd/httpd/branches/authz-dev:
include/http_core.h modules/aaa/config.m4 modules/aaa/mod_auth_basic.c
modules/aaa/mod_authn.c modules/aaa/mod_authz.c
modules/aaa/mod_authz_host.c server/core.c server/request.c
Author: bnicholes
Date: Mon Dec 5 22:07:04 2005
New Revision: 354331
URL: http://svn.apache.org/viewcvs?rev=354331&view=rev
Log:
Add general authn and authz modules to hold non-authxxx specific directives such as authtype, authname and require. Remove authtype and authname from mod_core.
Added:
httpd/httpd/branches/authz-dev/modules/aaa/mod_authn.c
httpd/httpd/branches/authz-dev/modules/aaa/mod_authz.c
Modified:
httpd/httpd/branches/authz-dev/include/http_core.h
httpd/httpd/branches/authz-dev/modules/aaa/config.m4
httpd/httpd/branches/authz-dev/modules/aaa/mod_auth_basic.c
httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_host.c
httpd/httpd/branches/authz-dev/server/core.c
httpd/httpd/branches/authz-dev/server/request.c
Modified: httpd/httpd/branches/authz-dev/include/http_core.h
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/authz-dev/include/http_core.h?rev=354331&r1=354330&r2=354331&view=diff
==============================================================================
--- httpd/httpd/branches/authz-dev/include/http_core.h (original)
+++ httpd/httpd/branches/authz-dev/include/http_core.h Mon Dec 5 22:07:04 2005
@@ -454,9 +454,9 @@
/* Authentication stuff. Groan... */
int *satisfy; /* for every method one */
- char *ap_auth_type; /* Deprecated see mod_authz_host */
- char *ap_auth_name; /* Deprecated see mod_authz_host */
- apr_array_header_t *ap_requires; /* Deprecated see mod_authz_host */
+ char *ap_auth_type; /* Deprecated see mod_authn */
+ char *ap_auth_name; /* Deprecated see mod_authn */
+ apr_array_header_t *ap_requires; /* Deprecated see mod_authz */
/* Custom response config. These can contain text or a URL to redirect to.
* if response_code_strings is NULL then there are none in the config,
@@ -685,13 +685,11 @@
* authorization values with mod_authz_host
*/
-APR_DECLARE_OPTIONAL_FN(const apr_array_header_t *, authz_host_ap_requires,
+APR_DECLARE_OPTIONAL_FN(const apr_array_header_t *, authz_ap_requires,
(request_rec *r));
APR_DECLARE_OPTIONAL_FN(int, authz_some_auth_required, (request_rec *r));
-/*
-APR_DECLARE_OPTIONAL_FN(const char *, authz_host_ap_auth_type, (request_rec *r));
-APR_DECLARE_OPTIONAL_FN(const char *, authz_host_ap_auth_name, (request_rec *r));
-*/
+APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_type, (request_rec *r));
+APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_name, (request_rec *r));
/* ---------------------------------------------------------------------- */
Modified: httpd/httpd/branches/authz-dev/modules/aaa/config.m4
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/authz-dev/modules/aaa/config.m4?rev=354331&r1=354330&r2=354331&view=diff
==============================================================================
--- httpd/httpd/branches/authz-dev/modules/aaa/config.m4 (original)
+++ httpd/httpd/branches/authz-dev/modules/aaa/config.m4 Mon Dec 5 22:07:04 2005
@@ -21,6 +21,11 @@
dnl Provider alias module.
APACHE_MODULE(authn_alias, auth provider alias, , , no)
+dnl General Authentication modules; module which implements the
+dnl non-authn module specific directives.
+dnl
+APACHE_MODULE(authn, general authentication module, , , yes)
+
dnl Authorization modules: modules which verify a certain property such as
dnl membership of a group, value of the IP address against a list of pre
dnl configured directives (e.g. require, allow) or against an external file
@@ -32,6 +37,11 @@
APACHE_MODULE(authz_dbm, DBM-based authorization control, , , most)
APACHE_MODULE(authz_owner, 'require file-owner' authorization control, , , most)
APACHE_MODULE(authz_dbd, SQL based authorization and Login/Session support, , , most)
+
+dnl General Authorization modules; provider module which implements the
+dnl non-authz module specific directives.
+dnl
+APACHE_MODULE(authz, general authorization provider vector module, , , yes)
dnl LDAP authentication module. This module has both the authn and authz
dnl modules in one, so as to share the LDAP server config directives.
Modified: httpd/httpd/branches/authz-dev/modules/aaa/mod_auth_basic.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/authz-dev/modules/aaa/mod_auth_basic.c?rev=354331&r1=354330&r2=354331&view=diff
==============================================================================
--- httpd/httpd/branches/authz-dev/modules/aaa/mod_auth_basic.c (original)
+++ httpd/httpd/branches/authz-dev/modules/aaa/mod_auth_basic.c Mon Dec 5 22:07:04 2005
@@ -195,7 +195,11 @@
return HTTP_INTERNAL_SERVER_ERROR;
}
- r->ap_auth_type = "Basic";
+ /*XXX Need to figure out how to remove ap_auth_type from
+ the request_rec yet still make the data available
+ on a per-request basis.
+ */
+ r->ap_auth_type = current_auth;
res = get_basic_auth(r, &sent_user, &sent_pw);
if (res) {
Added: httpd/httpd/branches/authz-dev/modules/aaa/mod_authn.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/authz-dev/modules/aaa/mod_authn.c?rev=354331&view=auto
==============================================================================
--- httpd/httpd/branches/authz-dev/modules/aaa/mod_authn.c (added)
+++ httpd/httpd/branches/authz-dev/modules/aaa/mod_authn.c Mon Dec 5 22:07:04 2005
@@ -0,0 +1,141 @@
+/* Copyright 2002-2005 The Apache Software Foundation or its licensors, as
+ * applicable.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * Security options etc.
+ *
+ * Module derived from code originally written by Rob McCool
+ *
+ */
+
+#include "apr_strings.h"
+#include "apr_network_io.h"
+#define APR_WANT_STRFUNC
+#define APR_WANT_BYTEFUNC
+#include "apr_want.h"
+
+#include "ap_config.h"
+#include "httpd.h"
+#include "http_core.h"
+#include "http_config.h"
+#include "http_log.h"
+#include "http_request.h"
+#include "http_protocol.h"
+
+#include "mod_auth.h"
+
+#if APR_HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+typedef struct {
+ char *ap_auth_type;
+ char *ap_auth_name;
+} authn_dir_conf;
+
+module AP_MODULE_DECLARE_DATA authn_module;
+
+static void *create_authn_dir_config(apr_pool_t *p, char *dummy)
+{
+ authn_dir_conf *conf =
+ (authn_dir_conf *)apr_pcalloc(p, sizeof(authn_dir_conf));
+
+ return (void *)conf;
+}
+
+static void *merge_authn_dir_config(apr_pool_t *a, void *basev, void *newv)
+{
+ authn_dir_conf *base = (authn_dir_conf *)basev;
+ authn_dir_conf *new = (authn_dir_conf *)newv;
+ authn_dir_conf *conf;
+
+ /* Create this conf by duplicating the base, replacing elements
+ * (or creating copies for merging) where new-> values exist.
+ */
+ conf = (authn_dir_conf *)apr_palloc(a, sizeof(authn_dir_conf));
+ memcpy(conf, base, sizeof(authn_dir_conf));
+
+ if (new->ap_auth_type) {
+ conf->ap_auth_type = new->ap_auth_type;
+ }
+
+ if (new->ap_auth_name) {
+ conf->ap_auth_name = new->ap_auth_name;
+ }
+
+ return (void*)conf;
+}
+
+/*
+ * Load an authorisation realm into our location configuration, applying the
+ * usual rules that apply to realms.
+ */
+static const char *set_authname(cmd_parms *cmd, void *mconfig,
+ const char *word1)
+{
+ authn_dir_conf *aconfig = (authn_dir_conf *)mconfig;
+
+ aconfig->ap_auth_name = ap_escape_quotes(cmd->pool, word1);
+ return NULL;
+}
+
+
+static const char *authn_ap_auth_type(request_rec *r)
+{
+ authn_dir_conf *conf;
+
+ conf = (authn_dir_conf *)ap_get_module_config(r->per_dir_config,
+ &authn_module);
+
+ return apr_pstrdup(r->pool, conf->ap_auth_type);
+}
+
+static const char *authn_ap_auth_name(request_rec *r)
+{
+ authn_dir_conf *conf;
+
+ conf = (authn_dir_conf *)ap_get_module_config(r->per_dir_config,
+ &authn_module);
+
+ return apr_pstrdup(r->pool, conf->ap_auth_name);
+}
+
+static const command_rec authn_cmds[] =
+{
+ AP_INIT_TAKE1("AuthType", ap_set_string_slot,
+ (void*)APR_OFFSETOF(authn_dir_conf, ap_auth_type), OR_AUTHCFG,
+ "An HTTP authorization type (e.g., \"Basic\")"),
+ AP_INIT_TAKE1("AuthName", set_authname, NULL, OR_AUTHCFG,
+ "The authentication realm (e.g. \"Members Only\")"),
+ {NULL}
+};
+
+static void register_hooks(apr_pool_t *p)
+{
+ APR_REGISTER_OPTIONAL_FN(authn_ap_auth_type);
+ APR_REGISTER_OPTIONAL_FN(authn_ap_auth_name);
+}
+
+module AP_MODULE_DECLARE_DATA authn_module =
+{
+ STANDARD20_MODULE_STUFF,
+ create_authn_dir_config, /* dir config creater */
+ merge_authn_dir_config, /* dir merger --- default is to override */
+ NULL, /* server config */
+ NULL, /* merge server config */
+ authn_cmds,
+ register_hooks /* register hooks */
+};
Added: httpd/httpd/branches/authz-dev/modules/aaa/mod_authz.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/authz-dev/modules/aaa/mod_authz.c?rev=354331&view=auto
==============================================================================
--- httpd/httpd/branches/authz-dev/modules/aaa/mod_authz.c (added)
+++ httpd/httpd/branches/authz-dev/modules/aaa/mod_authz.c Mon Dec 5 22:07:04 2005
@@ -0,0 +1,275 @@
+/* Copyright 2002-2005 The Apache Software Foundation or its licensors, as
+ * applicable.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * Security options etc.
+ *
+ * Module derived from code originally written by Rob McCool
+ *
+ */
+
+#include "apr_strings.h"
+#include "apr_network_io.h"
+#include "apr_md5.h"
+
+#define APR_WANT_STRFUNC
+#define APR_WANT_BYTEFUNC
+#include "apr_want.h"
+
+#include "ap_config.h"
+#include "httpd.h"
+#include "http_core.h"
+#include "http_config.h"
+#include "http_log.h"
+#include "http_request.h"
+#include "http_protocol.h"
+#include "ap_provider.h"
+
+#include "mod_auth.h"
+
+#if APR_HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+typedef struct {
+ apr_array_header_t *ap_requires;
+ authz_provider_list *providers;
+} authz_dir_conf;
+
+module AP_MODULE_DECLARE_DATA authz_module;
+
+static void *create_authz_dir_config(apr_pool_t *p, char *dummy)
+{
+ authz_dir_conf *conf =
+ (authz_dir_conf *)apr_pcalloc(p, sizeof(authz_dir_conf));
+
+ return (void *)conf;
+}
+
+static void *merge_authz_dir_config(apr_pool_t *a, void *basev, void *newv)
+{
+ authz_dir_conf *base = (authz_dir_conf *)basev;
+ authz_dir_conf *new = (authz_dir_conf *)newv;
+ authz_dir_conf *conf;
+
+ /* Create this conf by duplicating the base, replacing elements
+ * (or creating copies for merging) where new-> values exist.
+ */
+ conf = (authz_dir_conf *)apr_palloc(a, sizeof(authz_dir_conf));
+ memcpy(conf, base, sizeof(authz_dir_conf));
+
+ if (new->ap_requires) {
+ conf->ap_requires = new->ap_requires;
+ }
+
+ return (void*)conf;
+}
+
+static const char *add_authz_provider(cmd_parms *cmd, void *config,
+ const char *arg)
+{
+ authz_dir_conf *conf = (authz_dir_conf*)config;
+ authz_provider_list *newp;
+
+ newp = apr_pcalloc(cmd->pool, sizeof(authz_provider_list));
+ /* XXX: Split this out to the name and then the rest of the directive. */
+ newp->provider_name = apr_pstrdup(cmd->pool, arg);
+ newp->requirement = apr_pstrdup(cmd->pool, arg);
+ newp->method_mask = cmd->limited;
+
+ /* lookup and cache the actual provider now */
+ newp->provider = ap_lookup_provider(AUTHZ_PROVIDER_GROUP,
+ newp->provider_name, "0");
+
+ /* by the time the config file is used, the provider should be loaded
+ * and registered with us.
+ */
+ if (newp->provider == NULL) {
+ return apr_psprintf(cmd->pool,
+ "Unknown Authz provider: %s",
+ newp->provider_name);
+ }
+
+ /* if the provider doesn't provide the appropriate function, reject it */
+ if (!newp->provider->check_authorization) {
+ return apr_psprintf(cmd->pool,
+ "The '%s' Authz provider is not supported by any "
+ "of the loaded authorization modules ",
+ newp->provider_name);
+ }
+
+ /* Add it to the list now. */
+ if (!conf->providers) {
+ conf->providers = newp;
+ }
+ else {
+ authz_provider_list *last = conf->providers;
+
+ while (last->next) {
+ last = last->next;
+ }
+ last->next = newp;
+ }
+
+ return NULL;
+}
+
+static const command_rec authz_cmds[] =
+{
+ AP_INIT_RAW_ARGS("Require", add_authz_provider, NULL, OR_AUTHCFG,
+ "Selects which authenticated users or groups may access "
+ "a protected space"),
+ {NULL}
+};
+
+static int authorize_user(request_rec *r)
+{
+ authz_dir_conf *conf = ap_get_module_config(r->per_dir_config,
+ &authz_module);
+ authz_status auth_result;
+ authz_provider_list *current_provider;
+
+ current_provider = conf->providers;
+ do {
+ const authz_provider *provider;
+
+ /* For now, if a provider isn't set, we'll be nice and use the file
+ * provider.
+ */
+ if (!current_provider) {
+ provider = ap_lookup_provider(AUTHZ_PROVIDER_GROUP,
+ AUTHZ_DEFAULT_PROVIDER, "0");
+
+ if (!provider || !provider->check_authorization) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "No default authz provider configured");
+ auth_result = AUTHZ_GENERAL_ERROR;
+ break;
+ }
+ apr_table_setn(r->notes, AUTHZ_PROVIDER_NAME_NOTE,
+ AUTHZ_DEFAULT_PROVIDER);
+ }
+ else {
+ provider = current_provider->provider;
+ apr_table_setn(r->notes, AUTHZ_PROVIDER_NAME_NOTE,
+ current_provider->provider_name);
+ }
+
+
+ auth_result = provider->check_authorization(r,
+ current_provider->method_mask,
+ current_provider->requirement);
+
+ apr_table_unset(r->notes, AUTHZ_PROVIDER_NAME_NOTE);
+
+ /* Something occured. Stop checking. */
+ /* XXX: We need to figure out what the implications of multiple
+ * require directives are. Must all satisfy? Can we leverage
+ * satisfy here then?
+ */
+ if (auth_result != AUTHZ_DENIED) {
+ break;
+ }
+
+ /* If we're not really configured for providers, stop now. */
+ if (!conf->providers) {
+ break;
+ }
+
+ current_provider = current_provider->next;
+ } while (current_provider);
+
+ if (auth_result != AUTHZ_GRANTED) {
+ int return_code;
+
+ switch (auth_result) {
+ case AUTHZ_DENIED:
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "user %s: authorization failure for \"%s\": ",
+ r->user, r->uri);
+ return_code = HTTP_UNAUTHORIZED;
+ break;
+ case AUTHZ_GENERAL_ERROR:
+ default:
+ /* We'll assume that the module has already said what its
+ * error was in the logs.
+ */
+ return_code = HTTP_INTERNAL_SERVER_ERROR;
+ break;
+ }
+
+ /* If we're returning 403, tell them to try again. */
+ if (return_code == HTTP_UNAUTHORIZED) {
+ /* XXX: Why is this a basic auth failure? */
+ ap_note_basic_auth_failure (r);
+ }
+ return return_code;
+ }
+
+ return OK;
+}
+
+static const apr_array_header_t *authz_ap_requires(request_rec *r)
+{
+ authz_dir_conf *conf;
+
+ conf = (authz_dir_conf *)ap_get_module_config(r->per_dir_config,
+ &authz_module);
+
+ return conf->ap_requires;
+}
+
+static int authz_some_auth_required(request_rec *r)
+{
+ authz_dir_conf *conf = ap_get_module_config(r->per_dir_config,
+ &authz_module);
+ authz_provider_list *current_provider;
+ int req_authz = 0;
+
+ current_provider = conf->providers;
+ while (current_provider) {
+
+ /* Does this provider config apply for this method */
+ if (current_provider->method_mask &
+ (AP_METHOD_BIT << r->method_number)) {
+ req_authz = 1;
+ break;
+ }
+
+ current_provider = current_provider->next;
+ }
+
+ return req_authz;
+}
+
+static void register_hooks(apr_pool_t *p)
+{
+ APR_REGISTER_OPTIONAL_FN(authz_ap_requires);
+ APR_REGISTER_OPTIONAL_FN(authz_some_auth_required);
+
+ ap_hook_auth_checker(authorize_user, NULL, NULL, APR_HOOK_MIDDLE);
+}
+
+module AP_MODULE_DECLARE_DATA authz_module =
+{
+ STANDARD20_MODULE_STUFF,
+ create_authz_dir_config, /* dir config creater */
+ NULL, /* dir merger --- default is to override */
+ NULL, /* server config */
+ NULL, /* merge server config */
+ authz_cmds,
+ register_hooks /* register hooks */
+};
Modified: httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_host.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_host.c?rev=354331&r1=354330&r2=354331&view=diff
==============================================================================
--- httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_host.c (original)
+++ httpd/httpd/branches/authz-dev/modules/aaa/mod_authz_host.c Mon Dec 5 22:07:04 2005
@@ -35,10 +35,6 @@
#include "http_config.h"
#include "http_log.h"
#include "http_request.h"
-#include "http_protocol.h"
-#include "ap_provider.h"
-
-#include "mod_auth.h"
#if APR_HAVE_NETINET_IN_H
#include <netinet/in.h>
@@ -70,8 +66,6 @@
int order[METHODS];
apr_array_header_t *allows;
apr_array_header_t *denys;
- apr_array_header_t *ap_requires;
- authz_provider_list *providers;
} authz_host_dir_conf;
module AP_MODULE_DECLARE_DATA authz_host_module;
@@ -91,35 +85,6 @@
return (void *)conf;
}
-static void *merge_authz_host_dir_config(apr_pool_t *a, void *basev, void *newv)
-{
- authz_host_dir_conf *base = (authz_host_dir_conf *)basev;
- authz_host_dir_conf *new = (authz_host_dir_conf *)newv;
- authz_host_dir_conf *conf;
-
- /* Create this conf by duplicating the base, replacing elements
- * (or creating copies for merging) where new-> values exist.
- */
- conf = (authz_host_dir_conf *)apr_palloc(a, sizeof(authz_host_dir_conf));
- memcpy(conf, base, sizeof(authz_host_dir_conf));
-
- /*
- if (new->ap_auth_type) {
- conf->ap_auth_type = new->ap_auth_type;
- }
-
- if (new->ap_auth_name) {
- conf->ap_auth_name = new->ap_auth_name;
- }
- */
-
- if (new->ap_requires) {
- conf->ap_requires = new->ap_requires;
- }
-
- return (void*)conf;
-}
-
static const char *order(cmd_parms *cmd, void *dv, const char *arg)
{
authz_host_dir_conf *d = (authz_host_dir_conf *) dv;
@@ -194,88 +159,6 @@
return NULL;
}
-/*
- * Load an authorisation realm into our location configuration, applying the
- * usual rules that apply to realms.
- */
-/*
-static const char *set_authname(cmd_parms *cmd, void *mconfig,
- const char *word1)
-{
- authz_host_dir_conf *aconfig = (authz_host_dir_conf *)mconfig;
-
- aconfig->ap_auth_name = ap_escape_quotes(cmd->pool, word1);
- return NULL;
-}
-*/
-
-/*
-static const char *require(cmd_parms *cmd, void *c_, const char *arg)
-{
- require_line *r;
- authz_host_dir_conf *c = c_;
-
- if (!c->ap_requires) {
- c->ap_requires = apr_array_make(cmd->pool, 2, sizeof(require_line));
- }
-
- r = (require_line *)apr_array_push(c->ap_requires);
- r->requirement = apr_pstrdup(cmd->pool, arg);
- r->method_mask = cmd->limited;
-
- return NULL;
-}
-*/
-
-static const char *add_authz_provider(cmd_parms *cmd, void *config,
- const char *arg)
-{
- authz_host_dir_conf *conf = (authz_host_dir_conf*)config;
- authz_provider_list *newp;
-
- newp = apr_pcalloc(cmd->pool, sizeof(authz_provider_list));
- /* XXX: Split this out to the name and then the rest of the directive. */
- newp->provider_name = apr_pstrdup(cmd->pool, arg);
- newp->requirement = apr_pstrdup(cmd->pool, arg);
- newp->method_mask = cmd->limited;
-
- /* lookup and cache the actual provider now */
- newp->provider = ap_lookup_provider(AUTHZ_PROVIDER_GROUP,
- newp->provider_name, "0");
-
- /* by the time the config file is used, the provider should be loaded
- * and registered with us.
- */
- if (newp->provider == NULL) {
- return apr_psprintf(cmd->pool,
- "Unknown Authz provider: %s",
- newp->provider_name);
- }
-
- /* if the provider doesn't provide the appropriate function, reject it */
- if (!newp->provider->check_authorization) {
- return apr_psprintf(cmd->pool,
- "The '%s' Authz provider is not supported by any "
- "of the loaded authorization modules ",
- newp->provider_name);
- }
-
- /* Add it to the list now. */
- if (!conf->providers) {
- conf->providers = newp;
- }
- else {
- authz_provider_list *last = conf->providers;
-
- while (last->next) {
- last = last->next;
- }
- last->next = newp;
- }
-
- return NULL;
-}
-
static char its_an_allow;
static const command_rec authz_host_cmds[] =
@@ -286,18 +169,8 @@
"'from' followed by hostnames or IP-address wildcards"),
AP_INIT_ITERATE2("deny", allow_cmd, NULL, OR_LIMIT,
"'from' followed by hostnames or IP-address wildcards"),
- AP_INIT_RAW_ARGS("Require", add_authz_provider, NULL, OR_AUTHCFG,
- "Selects which authenticated users or groups may access "
- "a protected space"),
{NULL}
};
-/*
- AP_INIT_TAKE1("AuthType", ap_set_string_slot,
- (void*)APR_OFFSETOF(authz_host_dir_conf, ap_auth_type), OR_AUTHCFG,
- "An HTTP authorization type (e.g., \"Basic\")"),
- AP_INIT_TAKE1("AuthName", set_authname, NULL, OR_AUTHCFG,
- "The authentication realm (e.g. \"Members Only\")"),
-*/
static int in_domain(const char *domain, const char *what)
{
@@ -431,160 +304,10 @@
return ret;
}
-static int authorize_user(request_rec *r)
-{
- authz_host_dir_conf *conf = ap_get_module_config(r->per_dir_config,
- &authz_host_module);
- authz_status auth_result;
- authz_provider_list *current_provider;
-
- current_provider = conf->providers;
- do {
- const authz_provider *provider;
-
- /* For now, if a provider isn't set, we'll be nice and use the file
- * provider.
- */
- if (!current_provider) {
- provider = ap_lookup_provider(AUTHZ_PROVIDER_GROUP,
- AUTHZ_DEFAULT_PROVIDER, "0");
-
- if (!provider || !provider->check_authorization) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "No default authz provider configured");
- auth_result = AUTHZ_GENERAL_ERROR;
- break;
- }
- apr_table_setn(r->notes, AUTHZ_PROVIDER_NAME_NOTE,
- AUTHZ_DEFAULT_PROVIDER);
- }
- else {
- provider = current_provider->provider;
- apr_table_setn(r->notes, AUTHZ_PROVIDER_NAME_NOTE,
- current_provider->provider_name);
- }
-
-
- auth_result = provider->check_authorization(r,
- current_provider->method_mask,
- current_provider->requirement);
-
- apr_table_unset(r->notes, AUTHZ_PROVIDER_NAME_NOTE);
-
- /* Something occured. Stop checking. */
- /* XXX: We need to figure out what the implications of multiple
- * require directives are. Must all satisfy? Can we leverage
- * satisfy here then?
- */
- if (auth_result != AUTHZ_DENIED) {
- break;
- }
-
- /* If we're not really configured for providers, stop now. */
- if (!conf->providers) {
- break;
- }
-
- current_provider = current_provider->next;
- } while (current_provider);
-
- if (auth_result != AUTHZ_GRANTED) {
- int return_code;
-
- switch (auth_result) {
- case AUTHZ_DENIED:
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "user %s: authorization failure for \"%s\": ",
- r->user, r->uri);
- return_code = HTTP_UNAUTHORIZED;
- break;
- case AUTHZ_GENERAL_ERROR:
- default:
- /* We'll assume that the module has already said what its
- * error was in the logs.
- */
- return_code = HTTP_INTERNAL_SERVER_ERROR;
- break;
- }
-
- /* If we're returning 403, tell them to try again. */
- if (return_code == HTTP_UNAUTHORIZED) {
- /* XXX: Why is this a basic auth failure? */
- ap_note_basic_auth_failure (r);
- }
- return return_code;
- }
-
- return OK;
-}
-
-static const apr_array_header_t *authz_host_ap_requires(request_rec *r)
-{
- authz_host_dir_conf *conf;
-
- conf = (authz_host_dir_conf *)ap_get_module_config(r->per_dir_config,
- &authz_host_module);
-
- return conf->ap_requires;
-}
-
-static int authz_some_auth_required(request_rec *r)
-{
- authz_host_dir_conf *conf = ap_get_module_config(r->per_dir_config,
- &authz_host_module);
- authz_provider_list *current_provider;
- int req_authz = 0;
-
- current_provider = conf->providers;
- while (current_provider) {
-
- /* Does this provider config apply for this method */
- if (current_provider->method_mask &
- (AP_METHOD_BIT << r->method_number)) {
- req_authz = 1;
- break;
- }
-
- current_provider = current_provider->next;
- }
-
- return req_authz;
-}
-
-/*
-static const char *authz_host_ap_auth_type(request_rec *r)
-{
- authz_host_dir_conf *conf;
-
- conf = (authz_host_dir_conf *)ap_get_module_config(r->per_dir_config,
- &authz_host_module);
-
- return conf->ap_auth_type;
-}
-
-static const char *authz_host_ap_auth_name(request_rec *r)
-{
- authz_host_dir_conf *conf;
-
- conf = (authz_host_dir_conf *)ap_get_module_config(r->per_dir_config,
- &authz_host_module);
-
- return conf->ap_auth_name;
-}
-*/
-
static void register_hooks(apr_pool_t *p)
{
- APR_REGISTER_OPTIONAL_FN(authz_host_ap_requires);
- APR_REGISTER_OPTIONAL_FN(authz_some_auth_required);
- /*
- APR_REGISTER_OPTIONAL_FN(authz_host_ap_auth_type);
- APR_REGISTER_OPTIONAL_FN(authz_host_ap_auth_name);
- */
-
/* This can be access checker since we don't require r->user to be set. */
- ap_hook_access_checker(check_dir_access, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_auth_checker(authorize_user, NULL, NULL, APR_HOOK_MIDDLE);
+ ap_hook_access_checker(check_dir_access,NULL,NULL,APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA authz_host_module =
Modified: httpd/httpd/branches/authz-dev/server/core.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/authz-dev/server/core.c?rev=354331&r1=354330&r2=354331&view=diff
==============================================================================
--- httpd/httpd/branches/authz-dev/server/core.c (original)
+++ httpd/httpd/branches/authz-dev/server/core.c Mon Dec 5 22:07:04 2005
@@ -268,14 +268,6 @@
conf->ap_default_type = new->ap_default_type;
}
- if (new->ap_auth_type) {
- conf->ap_auth_type = new->ap_auth_type;
- }
-
- if (new->ap_auth_name) {
- conf->ap_auth_name = new->ap_auth_name;
- }
-
if (conf->response_code_strings == NULL) {
conf->response_code_strings = new->response_code_strings;
}
@@ -666,6 +658,7 @@
return conf->override;
}
+/*
AP_DECLARE(const char *) ap_auth_type(request_rec *r)
{
core_dir_config *conf;
@@ -675,22 +668,22 @@
return conf->ap_auth_type;
}
+*/
/*
* Optional function coming from mod_ident, used for looking up ident user
*/
-/*
-static APR_OPTIONAL_FN_TYPE(authz_host_ap_auth_type) *azh_ap_auth_type;
+static APR_OPTIONAL_FN_TYPE(authn_ap_auth_type) *authn_ap_auth_type;
AP_DECLARE(const char *) ap_auth_type(request_rec *r)
{
- if (azh_ap_auth_type) {
- return azh_ap_auth_type(r);
+ if (authn_ap_auth_type) {
+ return authn_ap_auth_type(r);
}
return NULL;
}
-*/
+/*
AP_DECLARE(const char *) ap_auth_name(request_rec *r)
{
core_dir_config *conf;
@@ -700,21 +693,20 @@
return conf->ap_auth_name;
}
+*/
/*
* Optional function coming from mod_ident, used for looking up ident user
*/
-/*
-static APR_OPTIONAL_FN_TYPE(authz_host_ap_auth_name) *azh_ap_auth_name;
+static APR_OPTIONAL_FN_TYPE(authn_ap_auth_name) *authn_ap_auth_name;
AP_DECLARE(const char *) ap_auth_name(request_rec *r)
{
- if (azh_ap_auth_name) {
- return azh_ap_auth_name(r);
+ if (authn_ap_auth_name) {
+ return authn_ap_auth_name(r);
}
return NULL;
}
-*/
AP_DECLARE(const char *) ap_default_type(request_rec *r)
{
@@ -741,12 +733,12 @@
/*
* Optional function coming from mod_ident, used for looking up ident user
*/
-static APR_OPTIONAL_FN_TYPE(authz_host_ap_requires) *azh_ap_requires;
+static APR_OPTIONAL_FN_TYPE(authz_ap_requires) *authz_ap_requires;
AP_DECLARE(const apr_array_header_t *) ap_requires(request_rec *r)
{
- if (azh_ap_requires) {
- return azh_ap_requires(r);
+ if (authz_ap_requires) {
+ return authz_ap_requires(r);
}
return NULL;
}
@@ -2672,19 +2664,6 @@
}
/*
- * Load an authorisation realm into our location configuration, applying the
- * usual rules that apply to realms.
- */
-static const char *set_authname(cmd_parms *cmd, void *mconfig,
- const char *word1)
-{
- core_dir_config *aconfig = (core_dir_config *)mconfig;
-
- aconfig->ap_auth_name = ap_escape_quotes(cmd->pool, word1);
- return NULL;
-}
-
-/*
* Handle a request to include the server's OS platform in the Server
* response header field (the ServerTokens directive). Unfortunately
* this requires a new global in order to communicate the setting back to
@@ -3240,11 +3219,6 @@
"specified URL paths"),
AP_INIT_RAW_ARGS("<FilesMatch", filesection, (void*)1, OR_ALL,
"Container for directives affecting files matching specified patterns"),
-AP_INIT_TAKE1("AuthType", ap_set_string_slot,
- (void*)APR_OFFSETOF(core_dir_config, ap_auth_type), OR_AUTHCFG,
- "An HTTP authorization type (e.g., \"Basic\")"),
-AP_INIT_TAKE1("AuthName", set_authname, NULL, OR_AUTHCFG,
- "The authentication realm (e.g. \"Members Only\")"),
AP_INIT_TAKE1("Satisfy", satisfy, NULL, OR_AUTHCFG,
"access policy if both allow and require used ('all' or 'any')"),
#ifdef GPROF
@@ -3729,18 +3703,16 @@
* traffic
*/
APR_OPTIONAL_FN_TYPE(ap_logio_add_bytes_out) *logio_add_bytes_out;
-APR_OPTIONAL_FN_TYPE(authz_some_auth_required) *azh_ap_some_auth_required;
+APR_OPTIONAL_FN_TYPE(authz_some_auth_required) *authz_ap_some_auth_required;
static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
{
logio_add_bytes_out = APR_RETRIEVE_OPTIONAL_FN(ap_logio_add_bytes_out);
ident_lookup = APR_RETRIEVE_OPTIONAL_FN(ap_ident_lookup);
- azh_ap_requires = APR_RETRIEVE_OPTIONAL_FN(authz_host_ap_requires);
- azh_ap_some_auth_required = APR_RETRIEVE_OPTIONAL_FN(authz_some_auth_required);
- /*
- azh_ap_auth_type = APR_RETRIEVE_OPTIONAL_FN(authz_host_ap_auth_type);
- azh_ap_auth_name = APR_RETRIEVE_OPTIONAL_FN(authz_host_ap_auth_name);
- */
+ authz_ap_requires = APR_RETRIEVE_OPTIONAL_FN(authz_ap_requires);
+ authz_ap_some_auth_required = APR_RETRIEVE_OPTIONAL_FN(authz_some_auth_required);
+ authn_ap_auth_type = APR_RETRIEVE_OPTIONAL_FN(authn_ap_auth_type);
+ authn_ap_auth_name = APR_RETRIEVE_OPTIONAL_FN(authn_ap_auth_name);
ap_set_version(pconf);
ap_setup_make_content_type(pconf);
Modified: httpd/httpd/branches/authz-dev/server/request.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/authz-dev/server/request.c?rev=354331&r1=354330&r2=354331&view=diff
==============================================================================
--- httpd/httpd/branches/authz-dev/server/request.c (original)
+++ httpd/httpd/branches/authz-dev/server/request.c Mon Dec 5 22:07:04 2005
@@ -1555,32 +1555,13 @@
return APR_SUCCESS;
}
-extern APR_OPTIONAL_FN_TYPE(authz_some_auth_required) *azh_ap_some_auth_required;
+extern APR_OPTIONAL_FN_TYPE(authz_some_auth_required) *authz_ap_some_auth_required;
AP_DECLARE(int) ap_some_auth_required(request_rec *r)
{
/* Is there a require line configured for the type of *this* req? */
-/*
- const apr_array_header_t *reqs_arr = ap_requires(r);
- require_line *reqs;
- int i;
-
- if (!reqs_arr) {
- return 0;
- }
-
- reqs = (require_line *) reqs_arr->elts;
-
- for (i = 0; i < reqs_arr->nelts; ++i) {
- if (reqs[i].method_mask & (AP_METHOD_BIT << r->method_number)) {
- return 1;
- }
- }
-
- return 0;
-*/
- if (azh_ap_some_auth_required) {
- return azh_ap_some_auth_required(r);
+ if (authz_ap_some_auth_required) {
+ return authz_ap_some_auth_required(r);
}
else
return 0;