On 07/14/2010 09:59 PM, [email protected] wrote: > Author: sf > Date: Wed Jul 14 19:59:31 2010 > New Revision: 964156 > > URL: http://svn.apache.org/viewvc?rev=964156&view=rev > Log: > The approach for allowing authorization by user or IP introduced in r956387, > etc. causes problems because the authentication module calls > note_*_auth_failure if authentication fails. This is inappropriate if access > is > later allowed because of the IP. > > So, instead of calling the auth_checker hook even if authentication failed, we > introduce a new access_checker_ex hook that runs between the access_checker > and > the check_user_id hooks. If an access_checker_ex functions returns OK, the > request will be allowed without authentication. > > To make use of this, change mod_authz_core to walk the require blocks in the > access_checker_ex phase and deny/allow the request if the authz result does > not > depend on an authenticated user. To distinguish a real AUTHZ_DENIED from an > authz provider from an authz provider needing an authenticated user, the > latter > must return the new AUTHZ_DENIED_NO_USER code. > > > Modified: > httpd/httpd/trunk/docs/manual/developer/new_api_2_4.xml > httpd/httpd/trunk/include/ap_mmn.h > httpd/httpd/trunk/include/http_request.h > httpd/httpd/trunk/include/mod_auth.h > httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c > httpd/httpd/trunk/modules/aaa/mod_authz_core.c > httpd/httpd/trunk/modules/aaa/mod_authz_dbd.c > httpd/httpd/trunk/modules/aaa/mod_authz_dbm.c > httpd/httpd/trunk/modules/aaa/mod_authz_groupfile.c > httpd/httpd/trunk/modules/aaa/mod_authz_host.c > httpd/httpd/trunk/modules/aaa/mod_authz_owner.c > httpd/httpd/trunk/modules/aaa/mod_authz_user.c > httpd/httpd/trunk/server/request.c > > Modified: httpd/httpd/trunk/modules/aaa/mod_authz_host.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_host.c?rev=964156&r1=964155&r2=964156&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/aaa/mod_authz_host.c (original) > +++ httpd/httpd/trunk/modules/aaa/mod_authz_host.c Wed Jul 14 19:59:31 2010 > @@ -104,7 +104,7 @@ static authz_status env_check_authorizat > } > } > > - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, > + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
Why changing to debug? > "access to %s failed, reason: env variable list does not > meet " > "'require'ments for user '%s' to be allowed access", > r->uri, r->user); > @@ -162,7 +162,7 @@ static authz_status ip_check_authorizati > } > } > > - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, > + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, > "access to %s failed, reason: ip address list does not > meet " > "'require'ments for user '%s' to be allowed access", > r->uri, r->user); Why changing to debug? > @@ -197,7 +197,7 @@ static authz_status host_check_authoriza > } > } > > - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, > + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, > "access to %s failed, reason: host name list does not > meet " > "'require'ments for user '%s' to be allowed access", > r->uri, r->user); Why changing to debug? Regards RĂ¼diger
