httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: svn commit: r964156 - in /httpd/httpd/trunk: docs/manual/developer/ include/ modules/aaa/ server/
Date Thu, 15 Jul 2010 07:12:57 GMT


On 07/14/2010 09:59 PM, sf@apache.org wrote:
> Author: sf
> Date: Wed Jul 14 19:59:31 2010
> New Revision: 964156
> 
> URL: http://svn.apache.org/viewvc?rev=964156&view=rev
> Log:
> The approach for allowing authorization by user or IP introduced in r956387,
> etc. causes problems because the authentication module calls
> note_*_auth_failure if authentication fails. This is inappropriate if access is
> later allowed because of the IP.
> 
> So, instead of calling the auth_checker hook even if authentication failed, we
> introduce a new access_checker_ex hook that runs between the access_checker and
> the check_user_id hooks. If an access_checker_ex functions returns OK, the
> request will be allowed without authentication.
> 
> To make use of this, change mod_authz_core to walk the require blocks in the
> access_checker_ex phase and deny/allow the request if the authz result does not
> depend on an authenticated user. To distinguish a real AUTHZ_DENIED from an
> authz provider from an authz provider needing an authenticated user, the latter
> must return the new AUTHZ_DENIED_NO_USER code.
> 
> 
> Modified:
>     httpd/httpd/trunk/docs/manual/developer/new_api_2_4.xml
>     httpd/httpd/trunk/include/ap_mmn.h
>     httpd/httpd/trunk/include/http_request.h
>     httpd/httpd/trunk/include/mod_auth.h
>     httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
>     httpd/httpd/trunk/modules/aaa/mod_authz_core.c
>     httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c
>     httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c
>     httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c
>     httpd/httpd/trunk/modules/aaa/mod_authz_host.c
>     httpd/httpd/trunk/modules/aaa/mod_authz_owner.c
>     httpd/httpd/trunk/modules/aaa/mod_authz_user.c
>     httpd/httpd/trunk/server/request.c
> 
> Modified: httpd/httpd/trunk/modules/aaa/mod_authz_host.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_host.c?rev=964156&r1=964155&r2=964156&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/aaa/mod_authz_host.c (original)
> +++ httpd/httpd/trunk/modules/aaa/mod_authz_host.c Wed Jul 14 19:59:31 2010
> @@ -104,7 +104,7 @@ static authz_status env_check_authorizat
>          }
>      }
>  
> -    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> +    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,

Why changing to debug?

>                    "access to %s failed, reason: env variable list does not meet "
>                    "'require'ments for user '%s' to be allowed access",
>                    r->uri, r->user);
> @@ -162,7 +162,7 @@ static authz_status ip_check_authorizati
>          }
>      }
>  
> -    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> +    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>                    "access to %s failed, reason: ip address list does not meet "
>                    "'require'ments for user '%s' to be allowed access",
>                    r->uri, r->user);

Why changing to debug?


> @@ -197,7 +197,7 @@ static authz_status host_check_authoriza
>              }
>          }
>  
> -        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> +        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
>                        "access to %s failed, reason: host name list does not meet "
>                        "'require'ments for user '%s' to be allowed access",
>                        r->uri, r->user);

Why changing to debug?


Regards

RĂ¼diger

Mime
View raw message