while cleaning up the 2.1 auth docs, some things bubbled up, that are worth
to patch, imho :) If all patches are applied, applying them in the
described order should work. But before a general question: What's the
reason, that Auth*Provider cannot be determined in .htaccess files?
The worst case would be a 500, similar to the usage of AuthDBM* directives,
if no mod_authn_dbm is configured, so I see no problem in .htaccess-allowed
*Provider directives.
- yesno.diff
there is some confusion with "yes" and "no" and "on" and "off"... ;-)
By the way: the AccessAuthoritative directive in mod_authz_default is
wrong-named, isn't it? I think, it should be AuthzDefaultAuthoritative.
No patch for this, because trivial ;-)
- authoritative.diff:
when asking the providers for authentication, the main loop should not only
break, if access is granted. It should also break, if access was *denied*
by one provider. To be safe, it has to break also, if an error occured. So
the patch turns the condition around and continues only, if the user was
not found.
I find it also weird, that if auth was denied (by password usually), the
AuthBasicAuthoritative behaviour can override that by "passing to lower
modules". The patch changes that behaviour, too.
- null.diff:
outch. there are some possible NULL pointer references. Have you ever tried
AuthDigestProvider dbm? This results in a great kaboom. The patch makes
apache throw an error, if someone tries a provider, that doesn't support
the particular auth scheme.
- anon2p.diff
mod_authn_anon should be a provider, too, shouln't it? this patch resolves
that. That drops the Anonymous_Authoritative directive, of course.
By the way, is now the time to give the anon directives a better face? ;-))
nd
--
>kann mir jemand sagen, was genau @-Domains sind?
Ein Mythos. Ein Werbetrick. Verarsche. Nenn es wie du willst...
-- Alexandra Buss und Bj�rn H�hrmann in dciwam
Index: modules/aaa/mod_auth_basic.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_auth_basic.c,v
retrieving revision 1.7
diff -u -r1.7 mod_auth_basic.c
--- modules/aaa/mod_auth_basic.c 30 Nov 2002 18:48:40 -0000 1.7
+++ modules/aaa/mod_auth_basic.c 8 Dec 2002 13:22:49 -0000
@@ -264,8 +264,8 @@
auth_result = provider->check_password(r, sent_user, sent_pw);
- /* Access is granted. Stop checking. */
- if (auth_result == AUTH_GRANTED) {
+ /* Something occured. Stop checking. */
+ if (auth_result != AUTH_USER_NOT_FOUND) {
break;
}
@@ -281,7 +281,7 @@
int return_code;
/* If we're not authoritative, then any error is ignored. */
- if (!(conf->authoritative)) {
+ if (!(conf->authoritative) && auth_result != AUTH_DENIED) {
return DECLINED;
}
Index: modules/aaa/mod_auth_digest.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_auth_digest.c,v
retrieving revision 1.73
diff -u -r1.73 mod_auth_digest.c
--- modules/aaa/mod_auth_digest.c 30 Nov 2002 18:48:41 -0000 1.73
+++ modules/aaa/mod_auth_digest.c 8 Dec 2002 13:22:58 -0000
@@ -1486,8 +1486,8 @@
auth_result = provider->get_realm_hash(r, user, conf->realm,
&password);
- /* User is found. Stop checking. */
- if (auth_result == AUTH_USER_FOUND) {
+ /* Something occured. Stop checking. */
+ if (auth_result != AUTH_USER_NOT_FOUND) {
break;
}
Index: modules/aaa/mod_auth_basic.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_auth_basic.c,v
retrieving revision 1.7
diff -u -r1.7 mod_auth_basic.c
--- modules/aaa/mod_auth_basic.c 30 Nov 2002 18:48:40 -0000 1.7
+++ modules/aaa/mod_auth_basic.c 8 Dec 2002 13:43:46 -0000
@@ -125,6 +125,13 @@
newp->provider_name);
}
+ if (!newp->provider->check_password) {
+ /* if it doesn't provide the appropriate function, reject it */
+ return apr_psprintf(cmd->pool,
+ "The '%s' Authn provider doesn't support "
+ "Basic Authentication", provider_name);
+ }
+
/* Add it to the list now. */
if (!conf->providers) {
conf->providers = newp;
@@ -257,6 +264,13 @@
if (!current_provider) {
provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP,
AUTHN_DEFAULT_PROVIDER, "0");
+
+ if (!provider || !provider->check_password) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "No Authn provider configured");
+ auth_result = AUTH_GENERAL_ERROR;
+ break;
+ }
}
else {
provider = current_provider->provider;
Index: modules/aaa/mod_auth_digest.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_auth_digest.c,v
retrieving revision 1.73
diff -u -r1.73 mod_auth_digest.c
--- modules/aaa/mod_auth_digest.c 30 Nov 2002 18:48:41 -0000 1.73
+++ modules/aaa/mod_auth_digest.c 8 Dec 2002 13:43:55 -0000
@@ -516,6 +516,13 @@
newp->provider_name);
}
+ if (!newp->provider->get_realm_hash) {
+ /* if it doesn't provide the appropriate function, reject it */
+ return apr_psprintf(cmd->pool,
+ "The '%s' Authn provider doesn't support "
+ "Digest Authentication", provider_name);
+ }
+
/* Add it to the list now. */
if (!conf->providers) {
conf->providers = newp;
@@ -1477,6 +1484,13 @@
if (!current_provider) {
provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP,
AUTHN_DEFAULT_PROVIDER, "0");
+
+ if (!provider || !provider->get_realm_hash) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "No Authn provider configured");
+ auth_result = AUTH_GENERAL_ERROR;
+ break;
+ }
}
else {
provider = current_provider->provider;
Index: modules/aaa/mod_authn_anon.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_authn_anon.c,v
retrieving revision 1.1
diff -u -r1.1 mod_authn_anon.c
--- modules/aaa/mod_authn_anon.c 10 Sep 2002 00:15:39 -0000 1.1
+++ modules/aaa/mod_authn_anon.c 8 Dec 2002 13:49:54 -0000
@@ -79,7 +79,6 @@
* Anonymous_LogEmail [ on | off ] default = on
* Anonymous_VerifyEmail [ on | off ] default = off
* Anonymous_NoUserId [ on | off ] default = off
- * Anonymous_Authoritative [ on | off ] default = off
*
* The magic user id is something like 'anonymous', it is NOT case sensitive.
*
@@ -99,6 +98,7 @@
#define APR_WANT_STRFUNC
#include "apr_want.h"
+#include "ap_provider.h"
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
@@ -106,6 +106,8 @@
#include "http_request.h"
#include "http_protocol.h"
+#include "mod_auth.h"
+
typedef struct anon_auth_pw {
char *password;
struct anon_auth_pw *next;
@@ -117,7 +119,6 @@
int logemail;
int verifyemail;
int mustemail;
- int authoritative;
} authn_anon_config_rec;
static void *create_authn_anon_dir_config(apr_pool_t *p, char *d)
@@ -131,7 +132,6 @@
conf->logemail = 1;
conf->verifyemail = 0;
conf->mustemail = 1;
- conf->authoritative = 0;
return conf;
}
@@ -175,48 +175,42 @@
AP_INIT_FLAG("Anonymous_LogEmail", ap_set_flag_slot,
(void *)APR_OFFSETOF(authn_anon_config_rec, logemail),
OR_AUTHCFG, "Limited to 'on' or 'off'"),
- AP_INIT_FLAG("Anonymous_Authoritative", ap_set_flag_slot,
- (void *)APR_OFFSETOF(authn_anon_config_rec, authoritative),
- OR_AUTHCFG, "Limited to 'on' or 'off'"),
{NULL}
};
module AP_MODULE_DECLARE_DATA authn_anon_module;
-static int anon_authenticate_basic_user(request_rec *r)
+static authn_status check_anonymous(request_rec *r, const char *user,
+ const char *sent_pw)
{
authn_anon_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authn_anon_module);
- const char *sent_pw;
- int res = DECLINED;
-
- if ((res = ap_get_basic_auth_pw(r, &sent_pw))) {
- return res;
- }
+ authn_status res = AUTH_USER_NOT_FOUND;
/* Ignore if we are not configured */
if (!conf->passwords) {
- return DECLINED;
+ return AUTH_USER_NOT_FOUND;
}
/* Do we allow an empty userID and/or is it the magic one
*/
- if ((!(r->user[0])) && (conf->nouserid)) {
- res = OK;
+ if ((!user[0]) && (conf->nouserid)) {
+ res = AUTH_USER_FOUND;
}
else {
anon_auth_pw *p = conf->passwords;
- res = DECLINED;
- while ((res == DECLINED) && (p != NULL)) {
- if (!(strcasecmp(r->user, p->password))) {
- res = OK;
+ res = AUTH_USER_NOT_FOUND;
+ while ((res == AUTH_USER_NOT_FOUND) && (p != NULL)) {
+ if (!strcasecmp(user, p->password)) {
+ res = AUTH_USER_FOUND;
}
p = p->next;
}
}
+
/* Is username is OK and password been filled out (if required) */
- if ((res == OK) && ((!conf->mustemail) || strlen(sent_pw)) &&
+ if ((res == AUTH_USER_FOUND) && ((!conf->mustemail) || strlen(sent_pw)) &&
/* does the password look like an email address ? */
((!conf->verifyemail) ||
((strpbrk("@", sent_pw) != NULL) &&
@@ -226,24 +220,22 @@
"Anonymous: Passwd <%s> Accepted",
sent_pw ? sent_pw : "\'none\'");
}
- return OK;
- }
- else {
- if (conf->authoritative) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
- "Anonymous: Authoritative, Passwd <%s> not accepted",
- sent_pw ? sent_pw : "\'none\'");
- return HTTP_UNAUTHORIZED;
- }
- /* Drop out the bottom to return DECLINED */
+ return AUTH_GRANTED;
}
- return DECLINED;
+ return (res == AUTH_USER_NOT_FOUND ? res : AUTH_DENIED);
}
+static const authn_provider authn_anon_provider =
+{
+ &check_anonymous,
+ NULL
+};
+
static void register_hooks(apr_pool_t *p)
{
- ap_hook_check_user_id(anon_authenticate_basic_user,NULL,NULL,APR_HOOK_MIDDLE);
+ ap_register_provider(p, AUTHN_PROVIDER_GROUP, "anon", "0",
+ &authn_anon_provider);
}
module AP_MODULE_DECLARE_DATA authn_anon_module =
Index: modules/aaa/mod_auth_basic.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_auth_basic.c,v
retrieving revision 1.7
diff -u -r1.7 mod_auth_basic.c
--- modules/aaa/mod_auth_basic.c 30 Nov 2002 18:48:40 -0000 1.7
+++ modules/aaa/mod_auth_basic.c 8 Dec 2002 14:08:59 -0000
@@ -148,7 +148,7 @@
AP_INIT_FLAG("AuthBasicAuthoritative", ap_set_flag_slot,
(void *)APR_OFFSETOF(auth_basic_config_rec, authoritative),
OR_AUTHCFG,
- "Set to 'no' to allow access control to be passed along to "
+ "Set to 'Off' to allow access control to be passed along to "
"lower modules if the UserID is not known to this module"),
{NULL}
};
Index: modules/aaa/mod_authn_default.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_authn_default.c,v
retrieving revision 1.1
diff -u -r1.1 mod_authn_default.c
--- modules/aaa/mod_authn_default.c 10 Sep 2002 00:15:39 -0000 1.1
+++ modules/aaa/mod_authn_default.c 8 Dec 2002 14:09:00 -0000
@@ -99,9 +99,9 @@
(void *)APR_OFFSETOF(authn_default_config_rec,
authoritative),
OR_AUTHCFG,
- "Set to 'no' to allow access control to be passed along to "
+ "Set to 'Off' to allow access control to be passed along to "
"lower modules if the UserID is not known to this module. "
- "(default is yes)."),
+ "(default is On)."),
{NULL}
};
Index: modules/aaa/mod_authz_dbm.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_authz_dbm.c,v
retrieving revision 1.2
diff -u -r1.2 mod_authz_dbm.c
--- modules/aaa/mod_authz_dbm.c 13 Sep 2002 23:56:37 -0000 1.2
+++ modules/aaa/mod_authz_dbm.c 8 Dec 2002 14:09:01 -0000
@@ -151,9 +151,9 @@
OR_AUTHCFG, "what type of DBM file the group file is"),
AP_INIT_FLAG("AuthzDBMAuthoritative", ap_set_flag_slot,
(void *)APR_OFFSETOF(authz_dbm_config_rec, authoritative),
- OR_AUTHCFG, "Set to 'no' to allow access control to be passed along to "
+ OR_AUTHCFG, "Set to 'Off' to allow access control to be passed along to "
"lower modules, if the group required is not found or empty, or the user "
- " is not in the required groups. (default is yes.)"),
+ " is not in the required groups. (default is On.)"),
{NULL}
};
Index: modules/aaa/mod_authz_default.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_authz_default.c,v
retrieving revision 1.1
diff -u -r1.1 mod_authz_default.c
--- modules/aaa/mod_authz_default.c 10 Sep 2002 00:15:39 -0000 1.1
+++ modules/aaa/mod_authz_default.c 8 Dec 2002 14:09:02 -0000
@@ -98,8 +98,8 @@
AP_INIT_FLAG("AccessAuthoritative", ap_set_flag_slot,
(void *)APR_OFFSETOF(authz_default_config_rec, authoritative),
OR_AUTHCFG,
- "Set to 'no' to allow access control to be passed along to "
- "lower modules. (default is yes.)"),
+ "Set to 'Off' to allow access control to be passed along to "
+ "lower modules. (default is On.)"),
{NULL}
};
Index: modules/aaa/mod_authz_groupfile.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_authz_groupfile.c,v
retrieving revision 1.4
diff -u -r1.4 mod_authz_groupfile.c
--- modules/aaa/mod_authz_groupfile.c 13 Sep 2002 23:59:58 -0000 1.4
+++ modules/aaa/mod_authz_groupfile.c 8 Dec 2002 14:09:03 -0000
@@ -130,9 +130,9 @@
(void *)APR_OFFSETOF(authz_groupfile_config_rec,
authoritative),
OR_AUTHCFG,
- "Set to 'no' to allow access control to be passed along to "
+ "Set to 'Off' to allow access control to be passed along to "
"lower modules if the 'require group' fails. (default is "
- "no)."),
+ "On)."),
{NULL}
};
Index: modules/aaa/mod_authz_user.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/aaa/mod_authz_user.c,v
retrieving revision 1.1
diff -u -r1.1 mod_authz_user.c
--- modules/aaa/mod_authz_user.c 10 Sep 2002 00:15:39 -0000 1.1
+++ modules/aaa/mod_authz_user.c 8 Dec 2002 14:09:04 -0000
@@ -97,9 +97,9 @@
AP_INIT_FLAG("AuthzUserAuthoritative", ap_set_flag_slot,
(void *)APR_OFFSETOF(authz_user_config_rec, authoritative),
OR_AUTHCFG,
- "Set to 'no' to allow access control to be passed along to "
+ "Set to 'Off' to allow access control to be passed along to "
"lower modules if the 'require user' or 'require valid-user' "
- "statement is not met. (default: yes)."),
+ "statement is not met. (default: On)."),
{NULL}
};
