httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s.@apache.org
Subject svn commit: r964156 - in /httpd/httpd/trunk: docs/manual/developer/ include/ modules/aaa/ server/
Date Wed, 14 Jul 2010 19:59:32 GMT
Author: sf
Date: Wed Jul 14 19:59:31 2010
New Revision: 964156

URL: http://svn.apache.org/viewvc?rev=964156&view=rev
Log:
The approach for allowing authorization by user or IP introduced in r956387,
etc. causes problems because the authentication module calls
note_*_auth_failure if authentication fails. This is inappropriate if access is
later allowed because of the IP.

So, instead of calling the auth_checker hook even if authentication failed, we
introduce a new access_checker_ex hook that runs between the access_checker and
the check_user_id hooks. If an access_checker_ex functions returns OK, the
request will be allowed without authentication.

To make use of this, change mod_authz_core to walk the require blocks in the
access_checker_ex phase and deny/allow the request if the authz result does not
depend on an authenticated user. To distinguish a real AUTHZ_DENIED from an
authz provider from an authz provider needing an authenticated user, the latter
must return the new AUTHZ_DENIED_NO_USER code.


Modified:
    httpd/httpd/trunk/docs/manual/developer/new_api_2_4.xml
    httpd/httpd/trunk/include/ap_mmn.h
    httpd/httpd/trunk/include/http_request.h
    httpd/httpd/trunk/include/mod_auth.h
    httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
    httpd/httpd/trunk/modules/aaa/mod_authz_core.c
    httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c
    httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c
    httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c
    httpd/httpd/trunk/modules/aaa/mod_authz_host.c
    httpd/httpd/trunk/modules/aaa/mod_authz_owner.c
    httpd/httpd/trunk/modules/aaa/mod_authz_user.c
    httpd/httpd/trunk/server/request.c

Modified: httpd/httpd/trunk/docs/manual/developer/new_api_2_4.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/developer/new_api_2_4.xml?rev=964156&r1=964155&r2=964156&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/developer/new_api_2_4.xml (original)
+++ httpd/httpd/trunk/docs/manual/developer/new_api_2_4.xml Wed Jul 14 19:59:31 2010
@@ -133,9 +133,13 @@
       <li>New EOR bucket type</li>
       <li>New function ap_process_async_request</li>
       <li>New flags AP_AUTH_INTERNAL_PER_CONF and AP_AUTH_INTERNAL_PER_URI</li>
-      <li>New functions ap_hook_check_access, ap_hook_check_authn, ap_hook_check_authz
which accept AP_AUTH_INTERNAL_PER_* flags</li>
-      <li>DEPRECATED direct use of ap_hook_access_checker, ap_hook_check_user_id, ap_hook_auth_checker</li>
-      <li>The auth_checker hook may be called with r-&gt;user == NULL</li>
+      <li>New access_checker_ex hook to apply additional access control and/or
+          bypass authentication.</li>
+      <li>New functions ap_hook_check_access_ex, ap_hook_check_access,
+          ap_hook_check_authn, ap_hook_check_authz which accept
+          AP_AUTH_INTERNAL_PER_* flags</li>
+      <li>DEPRECATED direct use of ap_hook_access_checker, access_checker_ex,
+          ap_hook_check_user_id, ap_hook_auth_checker</li>
     </ul>
     <p>When possible, registering all access control hooks (including
        authentication and authorization hooks) using AP_AUTH_INTERNAL_PER_CONF

Modified: httpd/httpd/trunk/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=964156&r1=964155&r2=964156&view=diff
==============================================================================
--- httpd/httpd/trunk/include/ap_mmn.h (original)
+++ httpd/httpd/trunk/include/ap_mmn.h Wed Jul 14 19:59:31 2010
@@ -235,14 +235,17 @@
  * 20100701.0 (2.3.7-dev)  re-order struct members to improve alignment
  * 20100701.1 (2.3.7-dev)  add note_auth_failure hook
  * 20100701.2 (2.3.7-dev)  add ap_proxy_*_wid() functions
+ * 20100714.0 (2.3.7-dev)  add access_checker_ex hook, add AUTHZ_DENIED_NO_USER
+ *                         to authz_status, call authz providers twice to allow
+ *                         authz without authenticated user
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
 
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20100701
+#define MODULE_MAGIC_NUMBER_MAJOR 20100714
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 2                     /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 0                     /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a

Modified: httpd/httpd/trunk/include/http_request.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_request.h?rev=964156&r1=964155&r2=964156&view=diff
==============================================================================
--- httpd/httpd/trunk/include/http_request.h (original)
+++ httpd/httpd/trunk/include/http_request.h Wed Jul 14 19:59:31 2010
@@ -420,6 +420,20 @@ AP_DECLARE_HOOK(int,type_checker,(reques
 AP_DECLARE_HOOK(int,access_checker,(request_rec *r))
 
 /**
+ * This hook is used to apply additional access control and/or bypass
+ * authentication for this resource. It runs *before* a user is authenticated,
+ * but after the auth_checker hook.
+ * This hook should be registered with ap_hook_check_access_ex().
+ *
+ * @param r the current request
+ * @return OK (allow acces), DECLINED (let later modules decide),
+ *         or HTTP_... (deny access)
+ * @ingroup hooks
+ * @see ap_hook_check_access_ex
+ */
+AP_DECLARE_HOOK(int,access_checker_ex,(request_rec *r))
+
+/**
  * This hook is used to check to see if the resource being requested
  * is available for the authenticated user (r->user and r->ap_auth_type).
  * It runs after the access_checker and check_user_id hooks. Note that
@@ -453,6 +467,25 @@ AP_DECLARE(void) ap_hook_check_access(ap
                                       int nOrder, int type);
 
 /**
+ * Register a hook function that will apply additional access control 
+ * and/or bypass authentication for the current request.
+ * @param pf An access_checker_ex hook function
+ * @param aszPre A NULL-terminated array of strings that name modules whose
+ *               hooks should precede this one
+ * @param aszSucc A NULL-terminated array of strings that name modules whose
+ *                hooks should succeed this one
+ * @param nOrder An integer determining order before honouring aszPre and
+ *               aszSucc (for example, HOOK_MIDDLE)
+ * @param type Internal request processing mode, either
+ *             AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF
+ */
+AP_DECLARE(void) ap_hook_check_access_ex(ap_HOOK_access_checker_ex_t *pf,
+                                         const char * const *aszPre,
+                                         const char * const *aszSucc,
+                                         int nOrder, int type);
+
+
+/**
  * Register a hook function that will analyze the request headers,
  * authenticate the user, and set the user information in the request record.
  * @param pf A check_user_id hook function

Modified: httpd/httpd/trunk/include/mod_auth.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/mod_auth.h?rev=964156&r1=964155&r2=964156&view=diff
==============================================================================
--- httpd/httpd/trunk/include/mod_auth.h (original)
+++ httpd/httpd/trunk/include/mod_auth.h Wed Jul 14 19:59:31 2010
@@ -73,7 +73,8 @@ typedef enum {
     AUTHZ_DENIED,
     AUTHZ_GRANTED,
     AUTHZ_NEUTRAL,
-    AUTHZ_GENERAL_ERROR
+    AUTHZ_GENERAL_ERROR,
+    AUTHZ_DENIED_NO_USER,      /* denied because r->user == NULL */
 } authz_status;
 
 typedef struct {

Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=964156&r1=964155&r2=964156&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Wed Jul 14 19:59:31 2010
@@ -616,6 +616,10 @@ static authz_status ldapuser_check_autho
     char filtbuf[FILTER_LENGTH];
     const char *dn = NULL;
 
+    if (!r->user) {
+        return AUTHZ_DENIED_NO_USER;
+    }
+
     if (!sec->have_ldap_url) {
         return AUTHZ_DENIED;
     }
@@ -638,12 +642,6 @@ static authz_status ldapuser_check_autho
      * and populated with the userid and DN of the account in LDAP
      */
 
-    /* Check that we have a userid to start with */
-    if (!r->user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
-    }
 
     if (!strlen(r->user)) {
         ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
@@ -755,6 +753,10 @@ static authz_status ldapgroup_check_auth
     struct mod_auth_ldap_groupattr_entry_t *ent;
     int i;
 
+    if (!r->user) {
+        return AUTHZ_DENIED_NO_USER;
+    }
+
     if (!sec->have_ldap_url) {
         return AUTHZ_DENIED;
     }
@@ -813,13 +815,6 @@ static authz_status ldapgroup_check_auth
      * and populated with the userid and DN of the account in LDAP
      */
 
-    /* Check that we have a userid to start with */
-    if (!r->user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
-    }
-
     if (!strlen(r->user)) {
         ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
             "ldap authorize: Userid is blank, AuthType=%s",
@@ -971,6 +966,10 @@ static authz_status ldapdn_check_authori
     char filtbuf[FILTER_LENGTH];
     const char *dn = NULL;
 
+    if (!r->user) {
+        return AUTHZ_DENIED_NO_USER;
+    }
+
     if (!sec->have_ldap_url) {
         return AUTHZ_DENIED;
     }
@@ -993,13 +992,6 @@ static authz_status ldapdn_check_authori
      * and populated with the userid and DN of the account in LDAP
      */
 
-    /* Check that we have a userid to start with */
-    if (!r->user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
-    }
-
     if (!strlen(r->user)) {
         ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
             "ldap authorize: Userid is blank, AuthType=%s",
@@ -1083,6 +1075,10 @@ static authz_status ldapattribute_check_
     char filtbuf[FILTER_LENGTH];
     const char *dn = NULL;
 
+    if (!r->user) {
+        return AUTHZ_DENIED_NO_USER;
+    }
+
     if (!sec->have_ldap_url) {
         return AUTHZ_DENIED;
     }
@@ -1105,13 +1101,6 @@ static authz_status ldapattribute_check_
      * and populated with the userid and DN of the account in LDAP
      */
 
-    /* Check that we have a userid to start with */
-    if (!r->user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
-    }
-
     if (!strlen(r->user)) {
         ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
             "ldap authorize: Userid is blank, AuthType=%s",
@@ -1199,6 +1188,10 @@ static authz_status ldapfilter_check_aut
     char filtbuf[FILTER_LENGTH];
     const char *dn = NULL;
 
+    if (!r->user) {
+        return AUTHZ_DENIED_NO_USER;
+    }
+
     if (!sec->have_ldap_url) {
         return AUTHZ_DENIED;
     }
@@ -1221,13 +1214,6 @@ static authz_status ldapfilter_check_aut
      * and populated with the userid and DN of the account in LDAP
      */
 
-    /* Check that we have a userid to start with */
-    if (!r->user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
-    }
-
     if (!strlen(r->user)) {
         ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
             "ldap authorize: Userid is blank, AuthType=%s",

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_core.c?rev=964156&r1=964155&r2=964156&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_core.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_core.c Wed Jul 14 19:59:31 2010
@@ -302,7 +302,9 @@ static const char* format_authz_result(a
             ? "denied"
             : ((result == AUTHZ_GRANTED)
                ? "granted"
-               : "neutral"));
+               : ((result == AUTHZ_DENIED_NO_USER)
+                  ? "denied (no authenticated user)"
+                  : "neutral")));
 }
 
 static const char* format_authz_command(apr_pool_t *p,
@@ -687,7 +689,20 @@ static authz_status apply_authz_sections
             }
 
             if (child_result != AUTHZ_NEUTRAL) {
-                auth_result = child_result;
+                /*
+                 * Handling of AUTHZ_DENIED/AUTHZ_DENIED_NO_USER: Return
+                 * AUTHZ_DENIED_NO_USER if providing a user may change the
+                 * result, AUTHZ_DENIED otherwise.
+                 */
+                if (!(section->op == AUTHZ_LOGIC_AND
+                      && auth_result == AUTHZ_DENIED
+                      && child_result == AUTHZ_DENIED_NO_USER)
+                    && !(section->op == AUTHZ_LOGIC_OR
+                         && auth_result == AUTHZ_DENIED_NO_USER
+                         && child_result == AUTHZ_DENIED) )
+                {
+                    auth_result = child_result;
+                }
 
                 if ((section->op == AUTHZ_LOGIC_AND
                      && child_result == AUTHZ_DENIED)
@@ -705,7 +720,8 @@ static authz_status apply_authz_sections
         if (auth_result == AUTHZ_GRANTED) {
             auth_result = AUTHZ_DENIED;
         }
-        else if (auth_result == AUTHZ_DENIED) {
+        else if (auth_result == AUTHZ_DENIED ||
+                 auth_result == AUTHZ_DENIED_NO_USER) {
             /* For negated directives, if the original result was denied
              * then the new result is neutral since we can not grant
              * access simply because authorization was not rejected.
@@ -722,7 +738,7 @@ static authz_status apply_authz_sections
     return auth_result;
 }
 
-static int authorize_user(request_rec *r)
+static int authorize_user_core(request_rec *r, int after_authn)
 {
     authz_core_dir_conf *conf;
     authz_status auth_result;
@@ -753,8 +769,31 @@ static int authorize_user(request_rec *r
     if (auth_result == AUTHZ_GRANTED) {
         return OK;
     }
+    else if (auth_result == AUTHZ_DENIED_NO_USER) {
+        if (after_authn) {
+            ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
+                          "authorization failure (no authenticated user): %s",
+                          r->uri);
+            /*
+             * If we're returning 401 to an authenticated user, tell them to
+             * try again. If unauthenticated, note_auth_failure has already
+             * been called during auth.
+             */
+            if (r->user)
+                ap_note_auth_failure(r);
+
+            return HTTP_UNAUTHORIZED;
+        }
+        else {
+            /*
+             * We need a user before we can decide what to do.
+             * Get out of the way and proceed with authentication.
+             */
+            return DECLINED;
+        }
+    }
     else if (auth_result == AUTHZ_DENIED || auth_result == AUTHZ_NEUTRAL) {
-        if (ap_auth_type(r) == NULL) {
+        if (!after_authn || ap_auth_type(r) == NULL) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
                           "client denied by server configuration: %s%s",
                           r->filename ? "" : "uri ",
@@ -763,12 +802,18 @@ static int authorize_user(request_rec *r
             return HTTP_FORBIDDEN;
         }
         else {
+            /* XXX: maybe we want to return FORBIDDEN here, too??? */
             ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
                           "user %s: authorization failure for \"%s\": ",
                           r->user, r->uri);
 
-            /* If we're returning 403, tell them to try again. */
-            ap_note_auth_failure(r);
+            /*
+             * If we're returning 401 to an authenticated user, tell them to
+             * try again. If unauthenticated, note_auth_failure has already
+             * been called during auth.
+             */
+            if (r->user)
+                ap_note_auth_failure(r);
 
             return HTTP_UNAUTHORIZED;
         }
@@ -781,6 +826,16 @@ static int authorize_user(request_rec *r
     }
 }
 
+static int authorize_userless(request_rec *r)
+{
+    return authorize_user_core(r, 0);
+}
+
+static int authorize_user(request_rec *r)
+{
+    return authorize_user_core(r, 1);
+}
+
 static int authz_some_auth_required(request_rec *r)
 {
     authz_core_dir_conf *conf;
@@ -803,6 +858,8 @@ static void register_hooks(apr_pool_t *p
     ap_hook_check_config(authz_core_check_config, NULL, NULL, APR_HOOK_MIDDLE);
     ap_hook_check_authz(authorize_user, NULL, NULL, APR_HOOK_LAST,
                         AP_AUTH_INTERNAL_PER_CONF);
+    ap_hook_check_access_ex(authorize_userless, NULL, NULL, APR_HOOK_LAST,
+                            AP_AUTH_INTERNAL_PER_CONF);
 }
 
 AP_DECLARE_MODULE(authz_core) =

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c?rev=964156&r1=964155&r2=964156&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c Wed Jul 14 19:59:31 2010
@@ -254,9 +254,7 @@ static authz_status dbdgroup_check_autho
                                               &authz_dbd_module);
 
     if (!r->user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
+        return AUTHZ_DENIED_NO_USER;
     }
 
     if (groups == NULL) {
@@ -287,9 +285,7 @@ static authz_status dbdlogin_check_autho
                                               &authz_dbd_module);
 
     if (!r->user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
+        return AUTHZ_DENIED_NO_USER;
     }
 
     return (authz_dbd_login(r, cfg, "login") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED);
@@ -302,9 +298,7 @@ static authz_status dbdlogout_check_auth
                                               &authz_dbd_module);
 
     if (!r->user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
+        return AUTHZ_DENIED_NO_USER;
     }
 
     return (authz_dbd_login(r, cfg, "logout") == OK ? AUTHZ_GRANTED : AUTHZ_DENIED);

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c?rev=964156&r1=964155&r2=964156&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c Wed Jul 14 19:59:31 2010
@@ -144,9 +144,7 @@ static authz_status dbmgroup_check_autho
     char *v;
 
     if (!user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
+        return AUTHZ_DENIED_NO_USER;
     }
 
     if (!conf->grpfile) {
@@ -216,9 +214,7 @@ static authz_status dbmfilegroup_check_a
     char *v;
 
     if (!user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
+        return AUTHZ_DENIED_NO_USER;
     }
 
     if (!conf->grpfile) {

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c?rev=964156&r1=964155&r2=964156&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c Wed Jul 14 19:59:31 2010
@@ -148,9 +148,7 @@ static authz_status group_check_authoriz
     apr_status_t status;
 
     if (!user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
+        return AUTHZ_DENIED_NO_USER;
     }
 
     /* If there is no group file - then we are not
@@ -209,9 +207,7 @@ static authz_status filegroup_check_auth
     const char *filegroup = NULL;
 
     if (!user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
+        return AUTHZ_DENIED_NO_USER;
     }
 
     /* If there is no group file - then we are not

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_host.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_host.c?rev=964156&r1=964155&r2=964156&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_host.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_host.c Wed Jul 14 19:59:31 2010
@@ -104,7 +104,7 @@ static authz_status env_check_authorizat
         }
     }
 
-    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                   "access to %s failed, reason: env variable list does not meet "
                   "'require'ments for user '%s' to be allowed access",
                   r->uri, r->user);
@@ -162,7 +162,7 @@ static authz_status ip_check_authorizati
         }
     }
 
-    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                   "access to %s failed, reason: ip address list does not meet "
                   "'require'ments for user '%s' to be allowed access",
                   r->uri, r->user);
@@ -197,7 +197,7 @@ static authz_status host_check_authoriza
             }
         }
 
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                       "access to %s failed, reason: host name list does not meet "
                       "'require'ments for user '%s' to be allowed access",
                       r->uri, r->user);

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_owner.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_owner.c?rev=964156&r1=964155&r2=964156&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_owner.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_owner.c Wed Jul 14 19:59:31 2010
@@ -55,9 +55,7 @@ static authz_status fileowner_check_auth
     apr_finfo_t finfo;
 
     if (!r->user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
+        return AUTHZ_DENIED_NO_USER;
     }
 
     if (!r->filename) {

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_user.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_user.c?rev=964156&r1=964155&r2=964156&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_user.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_user.c Wed Jul 14 19:59:31 2010
@@ -51,9 +51,7 @@ static authz_status user_check_authoriza
     const char *t, *w;
 
     if (!r->user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
+        return AUTHZ_DENIED_NO_USER;
     }
 
     t = require_args;
@@ -74,9 +72,7 @@ static authz_status user_check_authoriza
 static authz_status validuser_check_authorization(request_rec *r, const char *require_line)
 {
     if (!r->user) {
-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-            "access to %s failed, reason: no authenticated user", r->uri);
-        return AUTHZ_DENIED;
+        return AUTHZ_DENIED_NO_USER;
     }
 
     return AUTHZ_GRANTED;

Modified: httpd/httpd/trunk/server/request.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=964156&r1=964155&r2=964156&view=diff
==============================================================================
--- httpd/httpd/trunk/server/request.c (original)
+++ httpd/httpd/trunk/server/request.c Wed Jul 14 19:59:31 2010
@@ -63,6 +63,7 @@ APR_HOOK_STRUCT(
     APR_HOOK_LINK(fixups)
     APR_HOOK_LINK(type_checker)
     APR_HOOK_LINK(access_checker)
+    APR_HOOK_LINK(access_checker_ex)
     APR_HOOK_LINK(auth_checker)
     APR_HOOK_LINK(insert_filter)
     APR_HOOK_LINK(create_request)
@@ -80,6 +81,8 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(int,type_che
                             (request_rec *r), (r), DECLINED)
 AP_IMPLEMENT_HOOK_RUN_ALL(int,access_checker,
                           (request_rec *r), (r), OK, DECLINED)
+AP_IMPLEMENT_HOOK_RUN_FIRST(int,access_checker_ex,
+                          (request_rec *r), (r), DECLINED)
 AP_IMPLEMENT_HOOK_RUN_FIRST(int,auth_checker,
                             (request_rec *r), (r), DECLINED)
 AP_IMPLEMENT_HOOK_VOID(insert_filter, (request_rec *r), (r))
@@ -205,54 +208,57 @@ AP_DECLARE(int) ap_process_request_inter
         case SATISFY_ALL:
         case SATISFY_NOSPEC:
             if ((access_status = ap_run_access_checker(r)) != OK) {
-                return decl_die(access_status, "check access", r);
+                return decl_die(access_status,
+                                "check access (with Satisfy All)", r);
             }
 
-            if ((access_status = ap_run_check_user_id(r)) != OK) {
-                if (access_status == HTTP_UNAUTHORIZED) {
-                    r->user = NULL;
-                    ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
-                                  "authn failed with HTTP_UNAUTHORIZED, "
-                                  "trying authz without user");
-                }
-                else {
+            access_status = ap_run_access_checker_ex(r);
+            if (access_status == OK) {
+                ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
+                              "request authorized without authentication by "
+                              "access_checker_autoritative hook: %s", r->uri);
+            }
+            else if (access_status != DECLINED) {
+                return decl_die(access_status, "check access", r);
+            }
+            else {
+                if ((access_status = ap_run_check_user_id(r)) != OK) {
                     return decl_die(access_status, "check user", r);
                 }
-            }
-
-            if ((access_status = ap_run_auth_checker(r)) != OK) {
-                return decl_die(access_status, "check authorization", r);
+                if ((access_status = ap_run_auth_checker(r)) != OK) {
+                    return decl_die(access_status, "check authorization", r);
+                }
             }
             break;
         case SATISFY_ANY:
-            if ((access_status = ap_run_access_checker(r)) != OK) {
+            if ((access_status = ap_run_access_checker(r)) == OK) {
+                ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
+                              "request authorized without authentication by "
+                              "access_checker hook and 'Satisfy any': %s",
+                              r->uri);
+                break;
+            }
 
+            access_status = ap_run_access_checker_ex(r);
+            if (access_status == OK) {
+                ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
+                              "request authorized without authentication by "
+                              "access_checker_autoritative hook: %s", r->uri);
+            }
+            else if (access_status != DECLINED) {
+                return decl_die(access_status, "check access", r);
+            }
+            else {
                 if ((access_status = ap_run_check_user_id(r)) != OK) {
-                    if (access_status == HTTP_UNAUTHORIZED) {
-                        r->user = NULL;
-                        ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
-                                      "authn failed with HTTP_UNAUTHORIZED, "
-                                      "trying authz without user");
-                    }
-                    else {
-                        return decl_die(access_status, "check user", r);
-                    }
+                    return decl_die(access_status, "check user", r);
                 }
 
                 if ((access_status = ap_run_auth_checker(r)) != OK) {
                     return decl_die(access_status, "check authorization", r);
                 }
             }
-            else {
-                    ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
-                        "request authorized without authentication by "
-                        "access_checker hook and 'Satisfy any': %s",
-                        r->uri);
-            }
             break;
         }
-
-
     }
     /* XXX Must make certain the ap_run_type_checker short circuits mime
      * in mod-proxy for r->proxyreq && r->parsed_uri.scheme
@@ -1734,6 +1740,9 @@ AP_DECLARE(void) ap_setup_auth_internal(
     if (_hooks.link_access_checker) {
         total_auth_hooks += _hooks.link_access_checker->nelts;
     }
+    if (_hooks.link_access_checker_ex) {
+        total_auth_hooks += _hooks.link_access_checker_ex->nelts;
+    }
     if (_hooks.link_check_user_id) {
         total_auth_hooks += _hooks.link_check_user_id->nelts;
     }
@@ -1786,6 +1795,18 @@ AP_DECLARE(void) ap_hook_check_access(ap
     ap_hook_access_checker(pf, aszPre, aszSucc, nOrder);
 }
 
+AP_DECLARE(void) ap_hook_check_access_ex(ap_HOOK_access_checker_ex_t *pf,
+                                      const char * const *aszPre,
+                                      const char * const *aszSucc,
+                                      int nOrder, int type)
+{
+    if ((type & AP_AUTH_INTERNAL_MASK) == AP_AUTH_INTERNAL_PER_CONF) {
+        ++auth_internal_per_conf_hooks;
+    }
+
+    ap_hook_access_checker_ex(pf, aszPre, aszSucc, nOrder);
+}
+
 AP_DECLARE(void) ap_hook_check_authn(ap_HOOK_check_user_id_t *pf,
                                      const char * const *aszPre,
                                      const char * const *aszSucc,



Mime
View raw message