httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <oh...@cox.net>
Subject Re: ssl_var_lookup snippet was Re: Confused about modules processing order...
Date Tue, 26 Jun 2012 21:56:33 GMT

---- Sorin Manolache <sorinm@gmail.com> wrote: 
> On 2012-06-26 22:17, ohaya@cox.net wrote:
> >
> > ---- Sorin Manolache<sorinm@gmail.com>  wrote:
> >> On 2012-06-26 19:56, ohaya@cox.net wrote:
> >>>>> You cannot wait until mod_ssl runs its fixups, you have to hook
one of
> >>>>> the hooks that execute earlier than webgate's check_user_id or
> >>>>> auth_checker. (You have to hook one of the hooks (1)-(4).) There,
in
> >>>>> your hook, you have to get yourself the values of the server
> >>>>> certificates, client certificate, etc, everything that mod_ssl would
> >>>>> have given you, but too late.
> >>> "
> >>>
> >>> I guess that what I'm seeing is exactly what you said would happen, i.e.,
my check_user_id hook function is being called, but none of the SSL vars are populated (since,
as you said mod_ssl doesn't populate them until the fixup phase).
> >>>
> >>> What mechanisms/methods could I use to get those SSL vars ("you have to
get yourself the values of the server certificates, client certificate, etc, ") at this point?
> >>
> >> I don't know, unfortunately. Have a look at the sources
> >> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl
> >> does it.
> >>
> >> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c.
> >> Maybe you can use it in check_user_id already.
> >>
> >> Sorin
> >
> >
> > Sorin,
> >
> > THANKS for that pointer to ssl_var_lookup.
> >
> > As a very small payback (VERY small) for your help (and others), and for the record,
I put the following code (assembled from various places) in the ap_headers_early, and it seems
to work "somewhat")
> >
> >
> > static apr_status_t ap_headers_early(request_rec *r)
> > {
> >
> > printf("In ap_headers_early\n");
> >
> > printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");
> >
> > typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*, request_rec*,
char*);
> >
> > ssl_var_lookup_t ssl_var_lookup = 0;
> >
> > ssl_var_lookup = (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");
> >
> > const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r,
"SSL_CLIENT_CERT");
> >
> > printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);
> > .
> > .
> >
> > and it seems to work perfectly!!
> >
> >
> > Do you think that such calls would work in ANY hook?  In other words, would I be
at my leisure to use that in ANY of the module hooks?
> 
> No, it won't work in any hook, in my opinion. The availability of the 
> data depends on the phase (hook) in which you run the ssl_var_lookup.
> 
> I think, though I'm not sure, that the data are gathered in the 
> post_read_request hook. If so, ssl_var_lookup would work in any hook 
> that is called after post_read_request.
> 
> ap_headers_early is run in post_read_request. My intuition is that 
> putting your code there is slightly too early. This is because the 
> directory-wide configuration of the request is not yet correctly set in 
> this phase and URL rewrite rules have not yet been applied, although I 
> don't know if this would affect your functionality.
> 
> I'd put the code either in header_parser or in check_user_id and I'd try 
> to make sure that my check_user_id is run before webgate's check_user_id.
> 
> I'd go for header_parser as it is always run for main requests. 
> check_user_id is run only when some conditions are satisfied (check the 
> ap_process_request_internal in server/request.c).
> 
> If you go for check_user_id, make sure that it is run before Oracle's 
> check_user_id. In order to do so, you can use APR_HOOK_FIRST 
> (ap_hook_check_user_id(&my_check_user_id, NULL, NULL, APR_HOOK_FIRST)), 
> or you can use something like
> 
> static const char *successor[] = {nameoftheoraclesourcefile, NULL};
> ap_hook_check_user_id(&my_check_user_id, NULL, successor, APR_HOOK_MIDDLE);
> 
> (See how mod_ssl places its post_read_request _after_ mod_setenvif's in 
> modules/ssl/mod_ssl.c)
> 
> Also, I would not change mod_headers, I would write my own module in 
> which I'd place my header_parser hook.
> 
> Sorin


Hi Sorin,

FYI, it looks like that ssl_var_lookup() call DOES work, even in the post_read_request/ap_headers_early
hook!!

I moved the code that I had before in the insert_header hook to the post_read_request hook,
then modified it to do the ssl_var_lookup() call to get the SSL_CLIENT_CERT PEM rather than
getting it from r->subprocess_env.

I didn't describe what I'm trying to do clearly earlier with this module, but basically, with
my module, I'm trying to intercept the Apache request processing and, in my module, get a
SSO-type cookie/token that, normally, the webgate looks for to determine if the user has been
previously authenticated, and inject that cookie into the request.  

Right now, as I said, my code is in the post_read_request hook, and it's working (thanks in
large part to your help!), but only to a point.  It's able to get the cookie, and inject it
into the request, and then, I *think* the webgate is doing its processing.

The problem I'm now having is that I end up getting 403/Forbidden response from Apache after
all of that.  I'm not quite sure why yet.

If I disable the webgate, everything works ok.  

Also, this is a prototype.  My intention is that if I can get it working, I'd implement a
new module from scratch, as you recommended, but I need to get this prototype working first,
I think....

Thanks,
Jim

Mime
View raw message