Send modauthtkt-users mailing list submissions to
[EMAIL PROTECTED]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: Fallback to guest access (Garrett, Philip (MAN-Corporate))
----------------------------------------------------------------------
Message: 1
Date: Fri, 25 Aug 2006 13:29:59 -0400
From: "Garrett, Philip \(MAN-Corporate\)" <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Fallback to guest access
To: <[EMAIL PROTECTED]>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
[third post attempt]
Hi Gavin,
On Mon, Jul 31, 2006 at 09:34:22AM +1000, Gavin Carr wrote:
>
> > Would you be willing to accept a patch for a parameter to allow
fallback to
> > guest login when the ticket is invalid and TKTAuthGuestLogin is
turned on?
> > It would make things lots easier for me, and I can't see (yet,
anyway) how it
> > might harm others.
>
> I think that makes sense, at least for timeouts, and probably for
invalid tickets
> (though it might make debugging invalid tickets a bit harder). It
wouldn't make
> sense for the unauthorised case (wrong tokens), so we wouldn't want it
there.
I've attached a patch to implement this behavior with a
TKTAuthGuestFallback parameter. It seems to work for my purposes,
but I've hardly put it through any rigorous tests. If you're ok
with the general premise (and implementation), I'll be happy to
update the POD, too.
Regards,
Philip
--- src/mod_auth_tkt.c.orig 2006-08-22 09:31:37.810508000 -0400
+++ src/mod_auth_tkt.c 2006-08-22 12:54:05.004509000 -0400
@@ -59,6 +59,7 @@
int guest_login;
int guest_cookie;
char *guest_user;
+ int guest_fallback;
int debug;
} auth_tkt_dir_conf;
@@ -129,6 +130,7 @@
conf->guest_login = -1;
conf->guest_cookie = -1;
conf->guest_user = NULL;
+ conf->guest_fallback = -1;
conf->debug = -1;
return conf;
}
@@ -160,6 +162,7 @@
conf->guest_login = (subdir->guest_login >= 0) ? subdir->guest_login
: parent->guest_login;
conf->guest_cookie = (subdir->guest_cookie >= 0) ?
subdir->guest_cookie : parent->guest_cookie;
conf->guest_user = (subdir->guest_user) ? subdir->guest_user :
parent->guest_user;
+ conf->guest_fallback = (subdir->guest_fallback >= 0) ?
subdir->guest_fallback : parent->guest_fallback;
conf->debug = (subdir->debug >= 0) ? subdir->debug : parent->debug;
return conf;
@@ -414,6 +417,9 @@
AP_INIT_TAKE1("TKTAuthGuestUser", ap_set_string_slot,
(void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_user),
OR_AUTHCFG, "username to use for guest logins"),
+ AP_INIT_TAKE1("TKTAuthGuestFallback", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_fallback),
+ OR_AUTHCFG, "whether to fall back to guest if an expired ticket is
received"),
AP_INIT_ITERATE("TKTAuthDebug", set_auth_tkt_debug,
(void *)APR_OFFSETOF(auth_tkt_dir_conf, debug),
OR_AUTHCFG, "debug level (1-3, higher for more debug output)"),
@@ -1096,6 +1102,98 @@
return HTTP_TEMPORARY_REDIRECT;
}
+/* determine the guest username */
+static char *
+get_guest_uid(request_rec *r, auth_tkt_dir_conf *conf)
+{
+#ifndef APACHE13
+ char *guest_user;
+ int guest_user_length;
+ apr_uuid_t *uuid;
+ char *uuid_str, *uuid_length_str;
+ regex_t *uuid_regex;
+ regmatch_t regm[UUID_SUBS];
+ int uuid_length = -1;
+ char *uuid_pre, *uuid_post;
+#endif
+
+ /* no guest user specified via config, use the default */
+ if (! conf->guest_user) {
+ return DEFAULT_GUEST_USER;
+ }
+
+#ifdef APACHE13
+ /* We don't support %U under apache1 at this point */
+ return conf->guest_user;
+#else
+
+ /* use UUID if configured */
+ guest_user = apr_pstrdup(r->pool, conf->guest_user);
+ uuid_regex = ap_pregcomp(r->pool, "%([0-9]*)U", 0);
+ if (!ap_regexec(uuid_regex, guest_user, UUID_SUBS, regm, 0)) {
+ /* Check whether a UUID length was specified */
+ if (regm[1].rm_so != -1) {
+ uuid_length_str = ap_pregsub(r->pool, "$1", guest_user,
+ UUID_SUBS, regm);
+ if (uuid_length_str)
+ uuid_length = atoi(uuid_length_str);
+ }
+ if (uuid_length <= 0 || uuid_length > APR_UUID_FORMATTED_LENGTH) {
+ uuid_length = APR_UUID_FORMATTED_LENGTH;
+ }
+ if (conf->debug >= 1) {
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
+ "TKT: %%U found in guest user (length %d)", uuid_length);
+ }
+ /* Generate the UUID */
+ uuid = apr_palloc(r->pool, sizeof(*uuid));
+ uuid_str = apr_palloc(r->pool, APR_UUID_FORMATTED_LENGTH + 1);
+ apr_uuid_get(uuid);
+ apr_uuid_format(uuid_str, uuid);
+ if (uuid_length < APR_UUID_FORMATTED_LENGTH)
+ uuid_str[uuid_length] = '\0';
+ /* Generate the new guest_user string */
+ guest_user_length = strlen(guest_user);
+ if (regm[0].rm_so > 1) {
+ guest_user[regm[1].rm_so-1] = '\0';
+ uuid_pre = guest_user;
+ }
+ else
+ uuid_pre = "";
+ if (regm[0].rm_eo < guest_user_length)
+ uuid_post = guest_user + regm[0].rm_eo;
+ else
+ uuid_post = "";
+
+ return apr_psprintf(r->pool, "%s%s%s",
+ uuid_pre, uuid_str, uuid_post);
+ }
+
+ /* Otherwise, it's just a plain username. Return that. */
+ return conf->guest_user;
+#endif /* ! APACHE13 */
+
+}
+
+/* Set up the guest user info */
+static int
+setup_guest(request_rec *r, auth_tkt_dir_conf *conf, auth_tkt *tkt)
+{
+ /* directory must be configured for guest access */
+ if (conf->guest_login <= 0) {
+ return 0;
+ }
+
+ tkt->uid = get_guest_uid(r, conf);
+ tkt->user_data = "";
+ tkt->tokens = "";
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
+ "TKT: no valid ticket found - accepting as guest user '%s'",
+ tkt->uid);
+
+ return 1;
+}
+
/*
-----------------------------------------------------------------------
*/
/* Debug routines */
void
@@ -1130,6 +1228,7 @@
fprintf(stderr,"TKTAuthGuestLogin: %d\n",
conf->guest_login);
fprintf(stderr,"TKTAuthGuestCookie: %d\n",
conf->guest_cookie);
fprintf(stderr,"TKTAuthGuestUser: %s\n",
conf->guest_user);
+ fprintf(stderr,"TKTAuthGuestFallback: %d\n",
conf->guest_fallback);
if (conf->auth_token->nelts > 0) {
char ** auth_token = (char **) conf->auth_token->elts;
int i;
@@ -1157,16 +1256,6 @@
int guest = 0;
int timeout;
char *url = NULL;
-#ifndef APACHE13
- char *guest_user;
- int guest_user_length;
- apr_uuid_t *uuid;
- char *uuid_str, *uuid_length_str;
- regex_t *uuid_regex;
- regmatch_t regm[UUID_SUBS];
- int uuid_length = -1;
- char *uuid_pre, *uuid_post;
-#endif
dump_config(r);
@@ -1201,66 +1290,7 @@
if (! ticket || ! valid_ticket(r, "url", ticket, parsed)) {
ticket = get_cookie_ticket(r);
if (! ticket || ! valid_ticket(r, "cookie", ticket, parsed)) {
- if (conf->guest_login > 0) {
- guest = 1;
- if (conf->guest_user) {
-#ifdef APACHE13
- /* We don't support %U under apache1 at this point */
- parsed->uid = conf->guest_user;
-#else
- guest_user = apr_pstrdup(r->pool, conf->guest_user);
- uuid_regex = ap_pregcomp(r->pool, "%([0-9]*)U", 0);
- if (!ap_regexec(uuid_regex, guest_user, UUID_SUBS, regm, 0))
{
- /* Check whether a UUID length was specified */
- if (regm[1].rm_so != -1) {
- uuid_length_str = ap_pregsub(r->pool, "$1", guest_user,
- UUID_SUBS, regm);
- if (uuid_length_str)
- uuid_length = atoi(uuid_length_str);
- }
- if (uuid_length <= 0 || uuid_length >
APR_UUID_FORMATTED_LENGTH) {
- uuid_length = APR_UUID_FORMATTED_LENGTH;
- }
- if (conf->debug >= 1) {
- ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
- "TKT: %%U found in guest user (length %d)",
uuid_length);
- }
- /* Generate the UUID */
- uuid = apr_palloc(r->pool, sizeof(*uuid));
- uuid_str = apr_palloc(r->pool, APR_UUID_FORMATTED_LENGTH +
1);
- apr_uuid_get(uuid);
- apr_uuid_format(uuid_str, uuid);
- if (uuid_length < APR_UUID_FORMATTED_LENGTH)
- uuid_str[uuid_length] = '\0';
- /* Generate the new guest_user string */
- guest_user_length = strlen(guest_user);
- if (regm[0].rm_so > 1) {
- guest_user[regm[1].rm_so-1] = '\0';
- uuid_pre = guest_user;
- }
- else
- uuid_pre = "";
- if (regm[0].rm_eo < guest_user_length)
- uuid_post = guest_user + regm[0].rm_eo;
- else
- uuid_post = "";
- parsed->uid = apr_psprintf(r->pool, "%s%s%s",
- uuid_pre, uuid_str, uuid_post);
- }
- else {
- parsed->uid = conf->guest_user;
- }
-#endif
- }
- else {
- parsed->uid = DEFAULT_GUEST_USER;
- }
- parsed->user_data = "";
- parsed->tokens = "";
- ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
- "TKT: no valid ticket found - accepting as guest user '%s'",
- parsed->uid);
- } else {
+ if (! (guest = setup_guest(r, conf, parsed)) ) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
"TKT: no valid ticket found - redirecting to login url");
return redirect(r, conf->login_url);
@@ -1275,14 +1305,22 @@
/* Valid ticket, check timeout - redirect/timed-out if so */
if (! guest && ! check_timeout(r, parsed)) {
- /* Special timeout URL can be defined for POST requests */
- if (strcmp(r->method, "POST") == 0 && conf->post_timeout_url) {
- url = conf->post_timeout_url;
+
+ /* allow fallback to guest access upon timeout */
+ if (conf->guest_login > 0 && conf->guest_fallback > 0) {
+ guest = setup_guest(r, conf, parsed);
}
- else {
- url = conf->timeout_url ? conf->timeout_url : conf->login_url;
+
+ if (!guest) {
+ /* Special timeout URL can be defined for POST requests */
+ if (strcmp(r->method, "POST") == 0 && conf->post_timeout_url) {
+ url = conf->post_timeout_url;
+ }
+ else {
+ url = conf->timeout_url ? conf->timeout_url : conf->login_url;
+ }
+ return redirect(r, url);
}
- return redirect(r, url);
}
/* If a new guest login and the guest_cookie flag is set, force a
cookie refresh */
------------------------------
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
------------------------------
_______________________________________________
modauthtkt-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 3, Issue 1
**********************************************
