httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Javier Sagrera" <sagr...@lycos.com>
Subject Clarification on how check_user_id hook works
Date Mon, 09 Oct 2006 12:13:16 GMT

Hi,

I wonder if someone can clarify how the check_user_id hook is suppose to 
work.

Let say i have two small modules:

Module 1 (x.so) writes in the error_log file a simple message and returns 
"DECLINED", this is register with the APR_HOOK_MIDDLE

Module 2 (r_d.so) just returns "DECLINED" to allow other functions in the 
chain to be call, but is register with APR_HOOK_FIRST

The issue i see and i can't really understand is that the check function in 
the first module is only called if the second module is registered with 
HOOK_FIRsT.
I'm using the mod_auth to do a basic authentication based on AuthUserFile, 
the module is included in my httpd binary.

For what i can see in the source code for mod_auth, the check functions in 
the chain are only called
if a function return DECLINED, if it returns something else, it stop the 
chain.
So i guess that when i only have the first module (the one register with 
MIDDLE), the authenticate_basic_user() in mod_auth.c is been called first, 
and becouse the user/passw
is correct, and i dont have the auth_autoritative flag in there, it just 
return a OK and my check func
in my module is not been called.

But, why when registering the second module as first, it doesnt behave in 
the same way?
How can you control the order of the modules if the module is linked inside 
the httpd? I was
under the impression that with Ap2 the order is not set by the order of 
LoadModule, but this is
not quite right here (i've done some test using mod_auth externally and the 
order matters)

When having the second module registered with FIRST, i guess that the first 
check function been call is the one in the second module,this returns 
"DECLINED" and cause the call to the check function in the first one.
if this is so, why it doesnt call function in mod_auth instead?

Please, can someone thow some light here 8)

Cheers,
Jav

# ./httpd -V
Server version: Apache/2.0.59
Server built:   Sep 26 2006 18:23:43
Server's Module Magic Number: 20020903:12
Server loaded:  APR 0.9.12, APR-UTIL 0.9.12
Compiled using: APR 0.9.12, APR-UTIL 0.9.12
Architecture:   32-bit
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_FCNTL_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D HTTPD_ROOT="/www/apache2"
 -D SUEXEC_BIN="/www/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
# ./httpd -l
Compiled in modules:
  core.c
  mod_access.c
  mod_auth.c
  mod_include.c
  mod_log_config.c
  mod_env.c
  mod_setenvif.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_status.c
  mod_autoindex.c
  mod_asis.c
  mod_cgi.c
  mod_negotiation.c
  mod_dir.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_so.c
#
# grep LoadModule httpd.conf
# have to place corresponding `LoadModule' lines at this location so the
# LoadModule foo_module modules/mod_foo.so
LoadModule      hw_module2 infx/x.so
LoadModule      hw_module  infx/r_d.so
#

- - - httpd.conf - - - -
<Location /auth>
AuthType Basic
AuthName  test
require valid-user
AuthUserFile   /tmp/users.txt
</Location>
- - - httpd.conf - - - -


# tail -f error_log
check_user_id() called.
[Mon Oct 09 12:00:51 2006] [error] [client 9.69.30.174] File does not exist: 
/www/apache2/htdocs/auth

- - - - x.c - - - -
#include "httpd.h"
#include "http_config.h"
#include "http_protocol.h"

int ifx_auth(request_rec *r)
{
   fprintf(stderr,"check_user_id() called.\n");
   fflush(stderr);
   return (DECLINED);
}
static void hw_register_hooks(apr_pool_t* p)
{
    ap_hook_check_user_id(ifx_auth,NULL,NULL,APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA hw_module2 =
{
    STANDARD20_MODULE_STUFF,
    NULL,    /* create per-directory config structures */
    NULL,    /* merge per-directory config structures  */
    NULL,    /* create per-server config structures    */
    NULL,    /* merge per-server config structures     */
    NULL,            /* command handlers */
    hw_register_hooks   /* register hooks   */
};
- - - - x.c - - - -


- - - - r_d.c - - - -
#include "httpd.h"
#include "http_config.h"
#include "http_protocol.h"

int ifx_auth(request_rec *r)
{
   return (DECLINED);
}
static void hw_register_hooks(apr_pool_t* p)
{
    ap_hook_check_user_id(ifx_auth,NULL,NULL,APR_HOOK_FIRST);
}
module AP_MODULE_DECLARE_DATA hw_module =
{
    STANDARD20_MODULE_STUFF,
    NULL,    /* create per-directory config structures */
    NULL,    /* merge per-directory config structures  */
    NULL,    /* create per-server config structures    */
    NULL,    /* merge per-server config structures     */
    NULL,            /* command handlers */
    hw_register_hooks   /* register hooks   */
};
- - - - r_d.c - - - -


--------mod_auth.c---------

/* These functions return 0 if client is OK, and proper error status
 * if not... either HTTP_UNAUTHORIZED, if we made a check, and it failed, or
 * HTTP_INTERNAL_SERVER_ERROR, if things are so totally confused that we
 * couldn't figure out how to tell if the client is authorized or not.
 *
 * If they return DECLINED, and all other modules also decline, that's
 * treated by the server core as a configuration error, logged and
 * reported as such.
 */

/* Determine user ID, and check if it really is that user, for HTTP
 * basic authentication...
 */

static int authenticate_basic_user(request_rec *r)
{
    auth_config_rec *conf = ap_get_module_config(r->per_dir_config,
                                                 &auth_module);
    const char *sent_pw;
    char *real_pw;
    apr_status_t invalid_pw;
    int res;

    if ((res = ap_get_basic_auth_pw(r, &sent_pw))) {
        return res;
    }

    if (!conf->auth_pwfile) {
        return DECLINED;
    }

    if (!(real_pw = get_pw(r, r->user, conf->auth_pwfile))) {
        if (!(conf->auth_authoritative)) {
            return DECLINED;
        }
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                      "user %s not found: %s", r->user, r->uri);
        ap_note_basic_auth_failure(r);
        return HTTP_UNAUTHORIZED;
    }
    invalid_pw = apr_password_validate(sent_pw, real_pw);
    if (invalid_pw != APR_SUCCESS) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                      "user %s: authentication failure for \"%s\": "
                      "Password Mismatch",
                      r->user, r->uri);
        ap_note_basic_auth_failure(r);
        return HTTP_UNAUTHORIZED;
    }
    return OK;
}
--------mod_auth.c---------




Mime
View raw message