www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Mechalas <jo...@ichips.intel.com>
Subject Re: mod_auth-any/1809: Suggestion for improving authentication modules and core source code, problem with 401 and ErrorDocument
Date Tue, 17 Feb 1998 20:10:00 GMT
The following reply was made to PR mod_auth-any/1809; it has been noted by GNATS.

From: John Mechalas <johnm@ichips.intel.com>
To: Lars.Eilebrecht@unix-ag.org
Cc: apbugs@Apache.Org
Subject: Re: mod_auth-any/1809: Suggestion for improving authentication modules and core source
code, problem with 401 and ErrorDocument
Date: Tue, 17 Feb 1998 12:09:15 -0800 (PST)

 > If you want to add the diffs to your change-request please
 > reply to this message (without changing the subject line)
 > and include the diffs.
 > Thanks in advance.
 
 Okay...here they are.  Note that these are from the apache 1.2.5 source.
 The mods to http_protocol.c and mod_auth.c have been fully tested and are 
 in production here.  I have not fully tested mod_auth_db.c
 
 The http_protocol.c changes make two environment variables available
 to the subprocess (CGI script):
 
    AUTH_TYPE
    AUTH_NAME
 
 their values come straight from the directives that define access
 control for the requested URL.  They can be used to generate the
 WWW-Authenticate: header (though you have to access them as
 REDIRECT_AUTH_TYPE and REDIRECT_AUTH_NAME because of the way Apache
 handles environment varaibles during a redirection).
 
 The mods to mod_auth*.c set variables to provide info on what
 authorization is required, and why authorization failed.  This is
 described in the original bug report text.
 
 I wanted to be able to make all modification to the module colde,
 only, but it was not possible.  Apparently, Apache does not consult
 the authentication modules (mod_auth*) if the browser doesn't send an
 authentication string in its requests (and a browser won't send this
 string unless the server sends a "WWW-Authenticate:" header...hence,
 an unresolvable situation, requiring the modification be made in the
 http_protocol.c source).
 
 
 Cheers,
 John
 
 ------------------------------ 8< Cut here 8< ---------------------------------
 
 *** mod_auth.c.dist	Fri Feb 13 17:45:45 1998
 --- mod_auth.c	Tue Feb 17 11:49:48 1998
 ***************
 *** 188,193 ****
 --- 188,194 ----
       conn_rec *c = r->connection;
       char *sent_pw, *real_pw;
       char errstr[MAX_STRING_LEN];
 +     table *e = r->subprocess_env;
       int res;
       
       if ((res = get_basic_auth_pw (r, &sent_pw))) return res;
 ***************
 *** 201,206 ****
 --- 202,208 ----
           ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user);
   	log_reason (errstr, r->uri, r);
   	note_basic_auth_failure (r);
 + 	table_set(e, "AUTH_ERROR", "user not found");
   	return AUTH_REQUIRED;
       }
       /* anyone know where the prototype for crypt is? */
 ***************
 *** 208,213 ****
 --- 210,216 ----
           ap_snprintf(errstr, sizeof(errstr), "user %s: password mismatch",c->user);
   	log_reason (errstr, r->uri, r);
   	note_basic_auth_failure (r);
 + 	table_set(e, "AUTH_ERROR", "password incorrect");
   	return AUTH_REQUIRED;
       }
       return OK;
 ***************
 *** 226,231 ****
 --- 229,235 ----
       table *grpstatus;
       array_header *reqs_arr = requires (r);
       require_line *reqs;
 +     table *e = r->subprocess_env;
       
       /* BUG FIX: tadc, 11-Nov-1995.  If there is no "requires" directive, 
        * then any user will do.
 ***************
 *** 247,257 ****
 --- 251,263 ----
   
           t = reqs[x].requirement;
           w = getword(r->pool, &t, ' ');
 + 	table_set(e, "AUTH_REQUIRE", w);
           if(!strcmp(w,"valid-user"))
               return OK;
           if(!strcmp(w,"user")) {
               while(t[0]) {
                   w = getword_conf (r->pool, &t);
 + 		table_merge(e, "AUTH_REQUIRE_ID", w);
                   if(!strcmp(user,w))
                       return OK;
               }
 ***************
 *** 262,267 ****
 --- 268,274 ----
   	    
               while(t[0]) {
                   w = getword_conf(r->pool, &t);
 + 		table_merge(e, "AUTH_REQUIRE_ID", w);
                   if(table_get (grpstatus, w))
   		    return OK;
               }
 ***************
 *** 274,279 ****
 --- 281,287 ----
       if (!(sec -> auth_authoritative))
         return DECLINED;
   
 +     table_set(e, "AUTH_ERROR", "permission denied");
       note_basic_auth_failure (r);
       return AUTH_REQUIRED;
   }
 ***************
 *** 296,298 ****
 --- 304,307 ----
      NULL,			/* logger */
      NULL				/* header parser */
   };
 + 
 
 
 
 *** mod_auth_db.c.dist	Sun Feb 15 20:44:44 1998
 --- mod_auth_db.c	Sun Feb 15 20:51:52 1998
 ***************
 *** 190,195 ****
 --- 190,196 ----
       conn_rec *c = r->connection;
       char *sent_pw, *real_pw, *colon_pw;
       char errstr[MAX_STRING_LEN];
 +     table *e = r->subprocess_env;
       int res;
       
       if ((res = get_basic_auth_pw (r, &sent_pw)))
 ***************
 *** 204,209 ****
 --- 205,211 ----
           ap_snprintf(errstr, sizeof(errstr), "DB user %s not found", c->user);
   	log_reason (errstr, r->filename, r);
   	note_basic_auth_failure (r);
 + 	table_set(e, "AUTH_ERROR", "user not found");
   	return AUTH_REQUIRED;
       }    
       /* Password is up to first : if exists */
 ***************
 *** 215,220 ****
 --- 217,223 ----
   		"user %s: password mismatch",c->user);
   	log_reason (errstr, r->uri, r);
   	note_basic_auth_failure (r);
 + 	table_set(e, "AUTH_ERROR", "password incorrect");
   	return AUTH_REQUIRED;
       }
       return OK;
 ***************
 *** 232,240 ****
       
       array_header *reqs_arr = requires (r);
       require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL;
   
       register int x;
 !     const char *t;
       char *w;
   
       if (!sec->auth_dbgrpfile) return DECLINED;
 --- 235,244 ----
       
       array_header *reqs_arr = requires (r);
       require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL;
 +     table *e = r->subprocess_env;
   
       register int x;
 !     const char *orig_t, *t;
       char *w;
   
       if (!sec->auth_dbgrpfile) return DECLINED;
 ***************
 *** 247,255 ****
 --- 251,267 ----
           t = reqs[x].requirement;
           w = getword(r->pool, &t, ' ');
   	
 + 	table_set(e, "AUTH_REQUIRE", w);
           if(!strcmp(w,"group") && sec->auth_dbgrpfile) {
   	   const char *orig_groups,*groups;
              char *v;
 + 
 + 	   orig_t = t;
 + 	   while(t[0]) {
 + 		w = getword(r->pool, &t, ' ');
 + 		table_merge(e, "AUTH_REQUIRE_ID", w);
 + 	   }
 + 	   t = orig_t;
   
              if (!(groups = get_db_grp(r, user, sec->auth_dbgrpfile))) {
   	       if (!(sec->auth_dbauthoritative))
 
 
 
 *** http_protocol.c.dist        Sat Feb 14 19:14:26 1998
 --- http_protocol.c     Sat Feb 14 19:19:57 1998
 ***************
 *** 913,918 ****
 --- 913,922 ----
   {
       const char *auth_line = table_get (r->headers_in, "Authorization");
       char *t;
 +     table *e = r->subprocess_env;
 + 
 +     table_set(e, "AUTH_TYPE", auth_type(r));
 +     table_set(e, "AUTH_NAME", auth_name(r));
       
       if(!(t = auth_type(r)) || strcasecmp(t, "Basic"))
           return DECLINED;
 

Mime
View raw message