httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: svn commit: r956387 - in /httpd/httpd/trunk: CHANGES STATUS modules/aaa/mod_authz_core.c server/request.c
Date Mon, 21 Jun 2010 18:44:11 GMT
On Monday 21 June 2010, Ruediger Pluem wrote:
> On 06/20/2010 09:15 PM, sf@apache.org wrote:
> > Author: sf
> > Date: Sun Jun 20 19:15:01 2010
> > New Revision: 956387
> > 
> > URL: http://svn.apache.org/viewvc?rev=956387&view=rev
> > Log:
> > Fix authorization by user or IP/ENV/...
> > Note ap_note_auth_failure() breakage in STATUS
> > 
> > Modified:
> >     httpd/httpd/trunk/CHANGES
> >     httpd/httpd/trunk/STATUS
> >     httpd/httpd/trunk/modules/aaa/mod_authz_core.c
> >     httpd/httpd/trunk/server/request.c
> > 
> > Modified: httpd/httpd/trunk/server/request.c
> > URL:
> > http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?
> > rev=956387&r1=956386&r2=956387&view=diff
> > ================================================================
> > ============== --- httpd/httpd/trunk/server/request.c (original)
> > +++ httpd/httpd/trunk/server/request.c Sun Jun 20 19:15:01 2010
> > @@ -201,6 +201,7 @@ AP_DECLARE(int) ap_process_request_inter
> > 
> >          r->ap_auth_type = r->main->ap_auth_type;
> >      
> >      }
> >      else {
> > 
> > +        char *failed_user = NULL;
> > 
> >          switch (ap_satisfies(r)) {
> >          case SATISFY_ALL:
> > 
> >          case SATISFY_NOSPEC:
> > @@ -209,10 +210,21 @@ AP_DECLARE(int) ap_process_request_inter
> > 
> >              }
> >              
> >              if ((access_status = ap_run_check_user_id(r)) != OK)
> >              {
> > 
> > -                return decl_die(access_status, "check user", r);
> > +                if (access_status == HTTP_UNAUTHORIZED) {
> > +                    failed_user = r->user;
> > +                    r->user = NULL;
> 
> Question: Is this an API change? I mean can authn modules be
> expected to handle r->user == NULL?

The standard modules all handle it, albeit with a somewhat noisy error 
log message. But in fact I have overlooked the fact that it is still 
possible to have authz modules use the 2.2.x-style hooks instead of 
the new provider interface. Therefore this change should at least be 
documented on the API changes page.

In any case the change needs some more testing. It's possible that 
there are some problems because the mod_auth_* may set err_headers_out 
even if it later turns out that no authentication is needed. Maybe the 
change to err_headers_out needs to be undone in that case.

Cheers,
Stefan

Mime
View raw message