httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s.@apache.org
Subject svn commit: r956387 - in /httpd/httpd/trunk: CHANGES STATUS modules/aaa/mod_authz_core.c server/request.c
Date Sun, 20 Jun 2010 19:15:01 GMT
Author: sf
Date: Sun Jun 20 19:15:01 2010
New Revision: 956387

URL: http://svn.apache.org/viewvc?rev=956387&view=rev
Log:
Fix authorization by user or IP/ENV/...
Note ap_note_auth_failure() breakage in STATUS

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/STATUS
    httpd/httpd/trunk/modules/aaa/mod_authz_core.c
    httpd/httpd/trunk/server/request.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=956387&r1=956386&r2=956387&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Jun 20 19:15:01 2010
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.3.7
 
+  *) core: Try to proceed with authorization even if authentication failed.
+     This allows e.g. to authorize by user _or_ ip address. [Stefan Fritsch]
+
   *) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]
 
   *) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]

Modified: httpd/httpd/trunk/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/STATUS?rev=956387&r1=956386&r2=956387&view=diff
==============================================================================
--- httpd/httpd/trunk/STATUS (original)
+++ httpd/httpd/trunk/STATUS Sun Jun 20 19:15:01 2010
@@ -67,15 +67,17 @@ RELEASE SHOWSTOPPERS:
   * Modules without documentation need to be moved to experimental or be
     removed.
 
-  * There is no working equivalent to 'Satisfy any' to authorize by
-    user _or_ IP address:
-    http://mail-archives.apache.org/mod_mbox/httpd-dev/200912.mbox/<4B28E73C.4050209%40kippdata.de>
-
   * Not all MPMs are updated to set conn_rec::current_thread correctly.
       (Prefork, Worker, Event, Simple are updated).
       jim sez: Then we just ship with those... mark any others as
                 experimental
 
+  * Fix or remove ap_note_auth_failure():
+    There are two incompatible sets of *note_*_auth_failure functions, one in
+    server/protocol.c, the other in mod_auth_*.c. The set in server/protocol.c
+    should be axed and ap_note_auth_failure() must either call the functions in
+    mod_auth_*.c or must be removed, too.
+
   FOR NEXT ALPHA:
 
 

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_core.c?rev=956387&r1=956386&r2=956387&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_core.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_core.c Sun Jun 20 19:15:01 2010
@@ -754,7 +754,7 @@ static int authorize_user(request_rec *r
         return OK;
     }
     else if (auth_result == AUTHZ_DENIED || auth_result == AUTHZ_NEUTRAL) {
-        if (r->ap_auth_type == NULL) {
+        if (ap_auth_type(r) == NULL) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
                           "client denied by server configuration: %s%s",
                           r->filename ? "" : "uri ",
@@ -768,7 +768,8 @@ static int authorize_user(request_rec *r
                           r->user, r->uri);
 
             /* If we're returning 403, tell them to try again. */
-            ap_note_auth_failure(r);
+            /* XXX: ap_note_auth_failure is currently broken */
+            /*ap_note_auth_failure(r);*/
 
             return HTTP_UNAUTHORIZED;
         }

Modified: httpd/httpd/trunk/server/request.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=956387&r1=956386&r2=956387&view=diff
==============================================================================
--- httpd/httpd/trunk/server/request.c (original)
+++ httpd/httpd/trunk/server/request.c Sun Jun 20 19:15:01 2010
@@ -201,6 +201,7 @@ AP_DECLARE(int) ap_process_request_inter
         r->ap_auth_type = r->main->ap_auth_type;
     }
     else {
+        char *failed_user = NULL;
         switch (ap_satisfies(r)) {
         case SATISFY_ALL:
         case SATISFY_NOSPEC:
@@ -209,10 +210,21 @@ AP_DECLARE(int) ap_process_request_inter
             }
 
             if ((access_status = ap_run_check_user_id(r)) != OK) {
-                return decl_die(access_status, "check user", r);
+                if (access_status == HTTP_UNAUTHORIZED) {
+                    failed_user = r->user;
+                    r->user = NULL;
+                    ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+                                  "authn failed with HTTP_UNAUTHORIZED, "
+                                  "trying authz without user");
+                }
+                else {
+                    return decl_die(access_status, "check user", r);
+                }
             }
 
             if ((access_status = ap_run_auth_checker(r)) != OK) {
+                if (failed_user)
+                    r->user = failed_user;
                 return decl_die(access_status, "check authorization", r);
             }
             break;
@@ -220,10 +232,21 @@ AP_DECLARE(int) ap_process_request_inter
             if ((access_status = ap_run_access_checker(r)) != OK) {
 
                 if ((access_status = ap_run_check_user_id(r)) != OK) {
-                    return decl_die(access_status, "check user", r);
+                    if (access_status == HTTP_UNAUTHORIZED) {
+                        failed_user = r->user;
+                        r->user = NULL;
+                        ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+                                      "authn failed with HTTP_UNAUTHORIZED, "
+                                      "trying authz without user");
+                    }
+                    else {
+                        return decl_die(access_status, "check user", r);
+                    }
                 }
 
                 if ((access_status = ap_run_auth_checker(r)) != OK) {
+                    if (failed_user)
+                        r->user = failed_user;
                     return decl_die(access_status, "check authorization", r);
                 }
             }



Mime
View raw message