Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: Fallback to guest access (Gavin Carr)
2. Re: Fallback to guest access (Charles Bueche)
3. Re: Fallback to guest access (Garrett, Philip (MAN-Corporate))
----------------------------------------------------------------------
Message: 1
Date: Fri, 8 Sep 2006 08:25:07 +1000
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Fallback to guest access
To: "Garrett, Philip \(MAN-Corporate\)" <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Hi Philip,
On Thu, Sep 07, 2006 at 09:12:30AM -0400, Garrett, Philip (MAN-Corporate) wrote:
> Have you had a chance to look at this patch?
I have. It looks good, but I'm trying to decide whether we need it to be user
configurable at all i.e. maybe this should be the standard behaviour. Can you
envisage a situation where falling back to guest is the wrong thing to do?
Cheers,
Gavin
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Garrett, Philip (MAN-Corporate)
> Sent: Friday, August 25, 2006 1:30 PM
> To: modauthtkt-users@lists.sourceforge.net
> Subject: Re: [modauthtkt-users] Fallback to guest access
>
> [third post attempt]
>
> Hi Gavin,
>
> On Mon, Jul 31, 2006 at 09:34:22AM +1000, Gavin Carr wrote:
> >
> > > Would you be willing to accept a patch for a parameter to allow
> fallback to
> > > guest login when the ticket is invalid and TKTAuthGuestLogin is
> turned on?
> > > It would make things lots easier for me, and I can't see (yet,
> anyway) how it
> > > might harm others.
> >
> > I think that makes sense, at least for timeouts, and probably for
> invalid tickets
> > (though it might make debugging invalid tickets a bit harder). It
> wouldn't make
> > sense for the unauthorised case (wrong tokens), so we wouldn't want it
> there.
>
> I've attached a patch to implement this behavior with a
> TKTAuthGuestFallback parameter. It seems to work for my purposes,
> but I've hardly put it through any rigorous tests. If you're ok
> with the general premise (and implementation), I'll be happy to
> update the POD, too.
>
> Regards,
> Philip
>
> --- src/mod_auth_tkt.c.orig 2006-08-22 09:31:37.810508000 -0400
> +++ src/mod_auth_tkt.c 2006-08-22 12:54:05.004509000 -0400
> @@ -59,6 +59,7 @@
> int guest_login;
> int guest_cookie;
> char *guest_user;
> + int guest_fallback;
> int debug;
> } auth_tkt_dir_conf;
>
> @@ -129,6 +130,7 @@
> conf->guest_login = -1;
> conf->guest_cookie = -1;
> conf->guest_user = NULL;
> + conf->guest_fallback = -1;
> conf->debug = -1;
> return conf;
> }
> @@ -160,6 +162,7 @@
> conf->guest_login = (subdir->guest_login >= 0) ? subdir->guest_login
> : parent->guest_login;
> conf->guest_cookie = (subdir->guest_cookie >= 0) ?
> subdir->guest_cookie : parent->guest_cookie;
> conf->guest_user = (subdir->guest_user) ? subdir->guest_user :
> parent->guest_user;
> + conf->guest_fallback = (subdir->guest_fallback >= 0) ?
> subdir->guest_fallback : parent->guest_fallback;
> conf->debug = (subdir->debug >= 0) ? subdir->debug : parent->debug;
>
> return conf;
> @@ -414,6 +417,9 @@
> AP_INIT_TAKE1("TKTAuthGuestUser", ap_set_string_slot,
> (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_user),
> OR_AUTHCFG, "username to use for guest logins"),
> + AP_INIT_TAKE1("TKTAuthGuestFallback", ap_set_flag_slot,
> + (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_fallback),
> + OR_AUTHCFG, "whether to fall back to guest if an expired ticket is
> received"),
> AP_INIT_ITERATE("TKTAuthDebug", set_auth_tkt_debug,
> (void *)APR_OFFSETOF(auth_tkt_dir_conf, debug),
> OR_AUTHCFG, "debug level (1-3, higher for more debug output)"),
> @@ -1096,6 +1102,98 @@
> return HTTP_TEMPORARY_REDIRECT;
> }
>
> +/* determine the guest username */
> +static char *
> +get_guest_uid(request_rec *r, auth_tkt_dir_conf *conf)
> +{
> +#ifndef APACHE13
> + char *guest_user;
> + int guest_user_length;
> + apr_uuid_t *uuid;
> + char *uuid_str, *uuid_length_str;
> + regex_t *uuid_regex;
> + regmatch_t regm[UUID_SUBS];
> + int uuid_length = -1;
> + char *uuid_pre, *uuid_post;
> +#endif
> +
> + /* no guest user specified via config, use the default */
> + if (! conf->guest_user) {
> + return DEFAULT_GUEST_USER;
> + }
> +
> +#ifdef APACHE13
> + /* We don't support %U under apache1 at this point */
> + return conf->guest_user;
> +#else
> +
> + /* use UUID if configured */
> + guest_user = apr_pstrdup(r->pool, conf->guest_user);
> + uuid_regex = ap_pregcomp(r->pool, "%([0-9]*)U", 0);
> + if (!ap_regexec(uuid_regex, guest_user, UUID_SUBS, regm, 0)) {
> + /* Check whether a UUID length was specified */
> + if (regm[1].rm_so != -1) {
> + uuid_length_str = ap_pregsub(r->pool, "$1", guest_user,
> + UUID_SUBS, regm);
> + if (uuid_length_str)
> + uuid_length = atoi(uuid_length_str);
> + }
> + if (uuid_length <= 0 || uuid_length > APR_UUID_FORMATTED_LENGTH) {
> + uuid_length = APR_UUID_FORMATTED_LENGTH;
> + }
> + if (conf->debug >= 1) {
> + ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
> + "TKT: %%U found in guest user (length %d)", uuid_length);
> + }
> + /* Generate the UUID */
> + uuid = apr_palloc(r->pool, sizeof(*uuid));
> + uuid_str = apr_palloc(r->pool, APR_UUID_FORMATTED_LENGTH + 1);
> + apr_uuid_get(uuid);
> + apr_uuid_format(uuid_str, uuid);
> + if (uuid_length < APR_UUID_FORMATTED_LENGTH)
> + uuid_str[uuid_length] = '\0';
> + /* Generate the new guest_user string */
> + guest_user_length = strlen(guest_user);
> + if (regm[0].rm_so > 1) {
> + guest_user[regm[1].rm_so-1] = '\0';
> + uuid_pre = guest_user;
> + }
> + else
> + uuid_pre = "";
> + if (regm[0].rm_eo < guest_user_length)
> + uuid_post = guest_user + regm[0].rm_eo;
> + else
> + uuid_post = "";
> +
> + return apr_psprintf(r->pool, "%s%s%s",
> + uuid_pre, uuid_str, uuid_post);
> + }
> +
> + /* Otherwise, it's just a plain username. Return that. */
> + return conf->guest_user;
> +#endif /* ! APACHE13 */
> +
> +}
> +
> +/* Set up the guest user info */
> +static int
> +setup_guest(request_rec *r, auth_tkt_dir_conf *conf, auth_tkt *tkt)
> +{
> + /* directory must be configured for guest access */
> + if (conf->guest_login <= 0) {
> + return 0;
> + }
> +
> + tkt->uid = get_guest_uid(r, conf);
> + tkt->user_data = "";
> + tkt->tokens = "";
> + ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
> + "TKT: no valid ticket found - accepting as guest user '%s'",
> + tkt->uid);
> +
> + return 1;
> +}
> +
> /*
> -----------------------------------------------------------------------
> */
> /* Debug routines */
> void
> @@ -1130,6 +1228,7 @@
> fprintf(stderr,"TKTAuthGuestLogin: %d\n",
> conf->guest_login);
> fprintf(stderr,"TKTAuthGuestCookie: %d\n",
> conf->guest_cookie);
> fprintf(stderr,"TKTAuthGuestUser: %s\n",
> conf->guest_user);
> + fprintf(stderr,"TKTAuthGuestFallback: %d\n",
> conf->guest_fallback);
> if (conf->auth_token->nelts > 0) {
> char ** auth_token = (char **) conf->auth_token->elts;
> int i;
> @@ -1157,16 +1256,6 @@
> int guest = 0;
> int timeout;
> char *url = NULL;
> -#ifndef APACHE13
> - char *guest_user;
> - int guest_user_length;
> - apr_uuid_t *uuid;
> - char *uuid_str, *uuid_length_str;
> - regex_t *uuid_regex;
> - regmatch_t regm[UUID_SUBS];
> - int uuid_length = -1;
> - char *uuid_pre, *uuid_post;
> -#endif
>
> dump_config(r);
>
> @@ -1201,66 +1290,7 @@
> if (! ticket || ! valid_ticket(r, "url", ticket, parsed)) {
> ticket = get_cookie_ticket(r);
> if (! ticket || ! valid_ticket(r, "cookie", ticket, parsed)) {
> - if (conf->guest_login > 0) {
> - guest = 1;
> - if (conf->guest_user) {
> -#ifdef APACHE13
> - /* We don't support %U under apache1 at this point */
> - parsed->uid = conf->guest_user;
> -#else
> - guest_user = apr_pstrdup(r->pool, conf->guest_user);
> - uuid_regex = ap_pregcomp(r->pool, "%([0-9]*)U", 0);
> - if (!ap_regexec(uuid_regex, guest_user, UUID_SUBS, regm, 0))
> {
> - /* Check whether a UUID length was specified */
> - if (regm[1].rm_so != -1) {
> - uuid_length_str = ap_pregsub(r->pool, "$1", guest_user,
> - UUID_SUBS, regm);
> - if (uuid_length_str)
> - uuid_length = atoi(uuid_length_str);
> - }
> - if (uuid_length <= 0 || uuid_length >
> APR_UUID_FORMATTED_LENGTH) {
> - uuid_length = APR_UUID_FORMATTED_LENGTH;
> - }
> - if (conf->debug >= 1) {
> - ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
> - "TKT: %%U found in guest user (length %d)",
> uuid_length);
> - }
> - /* Generate the UUID */
> - uuid = apr_palloc(r->pool, sizeof(*uuid));
> - uuid_str = apr_palloc(r->pool, APR_UUID_FORMATTED_LENGTH +
> 1);
> - apr_uuid_get(uuid);
> - apr_uuid_format(uuid_str, uuid);
> - if (uuid_length < APR_UUID_FORMATTED_LENGTH)
> - uuid_str[uuid_length] = '\0';
> - /* Generate the new guest_user string */
> - guest_user_length = strlen(guest_user);
> - if (regm[0].rm_so > 1) {
> - guest_user[regm[1].rm_so-1] = '\0';
> - uuid_pre = guest_user;
> - }
> - else
> - uuid_pre = "";
> - if (regm[0].rm_eo < guest_user_length)
> - uuid_post = guest_user + regm[0].rm_eo;
> - else
> - uuid_post = "";
> - parsed->uid = apr_psprintf(r->pool, "%s%s%s",
> - uuid_pre, uuid_str, uuid_post);
> - }
> - else {
> - parsed->uid = conf->guest_user;
> - }
> -#endif
> - }
> - else {
> - parsed->uid = DEFAULT_GUEST_USER;
> - }
> - parsed->user_data = "";
> - parsed->tokens = "";
> - ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
> - "TKT: no valid ticket found - accepting as guest user '%s'",
> - parsed->uid);
> - } else {
> + if (! (guest = setup_guest(r, conf, parsed)) ) {
> ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
> "TKT: no valid ticket found - redirecting to login url");
> return redirect(r, conf->login_url);
> @@ -1275,14 +1305,22 @@
>
> /* Valid ticket, check timeout - redirect/timed-out if so */
> if (! guest && ! check_timeout(r, parsed)) {
> - /* Special timeout URL can be defined for POST requests */
> - if (strcmp(r->method, "POST") == 0 && conf->post_timeout_url) {
> - url = conf->post_timeout_url;
> +
> + /* allow fallback to guest access upon timeout */
> + if (conf->guest_login > 0 && conf->guest_fallback > 0) {
> + guest = setup_guest(r, conf, parsed);
> }
> - else {
> - url = conf->timeout_url ? conf->timeout_url : conf->login_url;
> +
> + if (!guest) {
> + /* Special timeout URL can be defined for POST requests */
> + if (strcmp(r->method, "POST") == 0 && conf->post_timeout_url) {
> + url = conf->post_timeout_url;
> + }
> + else {
> + url = conf->timeout_url ? conf->timeout_url : conf->login_url;
> + }
> + return redirect(r, url);
> }
> - return redirect(r, url);
> }
>
> /* If a new guest login and the guest_cookie flag is set, force a
> cookie refresh */
>
> ------------------------------------------------------------------------
> -
> Using Tomcat but need to do more? Need to support web services,
> security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>
--
Gavin Carr
Open Fusion - Open Source Business Solutions [ Linux - Perl - Apache ]
http://www.openfusion.com.au
- Fashion is a variable, but style is a constant - Programming Perl
------------------------------
Message: 2
Date: Fri, 08 Sep 2006 11:56:02 +0200
From: Charles Bueche <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Fallback to guest access
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1
Hi,
I'm not sure if I understand the issue correctly, but :
we use mod_auth_tkt to secure a whole bunch of customer secure sites,
including planning physical money transfer for a swiss financial
institution. If there is a default behavior, I would rather prefer it to
be a DENY.
When considering security design, the globally accepted best practice is
default==secure.
My 2ct worth :-)
Charles
Gavin Carr wrote:
> Hi Philip,
>
> On Thu, Sep 07, 2006 at 09:12:30AM -0400, Garrett, Philip (MAN-Corporate)
> wrote:
>> Have you had a chance to look at this patch?
>
> I have. It looks good, but I'm trying to decide whether we need it to be user
> configurable at all i.e. maybe this should be the standard behaviour. Can you
> envisage a situation where falling back to guest is the wrong thing to do?
>
> Cheers,
> Gavin
>
>> -----Original Message-----
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of
>> Garrett, Philip (MAN-Corporate)
>> Sent: Friday, August 25, 2006 1:30 PM
>> To: modauthtkt-users@lists.sourceforge.net
>> Subject: Re: [modauthtkt-users] Fallback to guest access
>>
>> [third post attempt]
>>
>> Hi Gavin,
>>
>> On Mon, Jul 31, 2006 at 09:34:22AM +1000, Gavin Carr wrote:
>>>> Would you be willing to accept a patch for a parameter to allow
>> fallback to
>>>> guest login when the ticket is invalid and TKTAuthGuestLogin is
>> turned on?
>>>> It would make things lots easier for me, and I can't see (yet,
>> anyway) how it
>>>> might harm others.
>>> I think that makes sense, at least for timeouts, and probably for
>> invalid tickets
>>> (though it might make debugging invalid tickets a bit harder). It
>> wouldn't make
>>> sense for the unauthorised case (wrong tokens), so we wouldn't want it
>> there.
>>
>> I've attached a patch to implement this behavior with a
>> TKTAuthGuestFallback parameter. It seems to work for my purposes,
>> but I've hardly put it through any rigorous tests. If you're ok
>> with the general premise (and implementation), I'll be happy to
>> update the POD, too.
>>
>> Regards,
>> Philip
>>
>> --- src/mod_auth_tkt.c.orig 2006-08-22 09:31:37.810508000 -0400
>> +++ src/mod_auth_tkt.c 2006-08-22 12:54:05.004509000 -0400
>> @@ -59,6 +59,7 @@
>> int guest_login;
>> int guest_cookie;
>> char *guest_user;
>> + int guest_fallback;
>> int debug;
>> } auth_tkt_dir_conf;
>>
>> @@ -129,6 +130,7 @@
>> conf->guest_login = -1;
>> conf->guest_cookie = -1;
>> conf->guest_user = NULL;
>> + conf->guest_fallback = -1;
>> conf->debug = -1;
>> return conf;
>> }
>> @@ -160,6 +162,7 @@
>> conf->guest_login = (subdir->guest_login >= 0) ? subdir->guest_login
>> : parent->guest_login;
>> conf->guest_cookie = (subdir->guest_cookie >= 0) ?
>> subdir->guest_cookie : parent->guest_cookie;
>> conf->guest_user = (subdir->guest_user) ? subdir->guest_user :
>> parent->guest_user;
>> + conf->guest_fallback = (subdir->guest_fallback >= 0) ?
>> subdir->guest_fallback : parent->guest_fallback;
>> conf->debug = (subdir->debug >= 0) ? subdir->debug : parent->debug;
>>
>> return conf;
>> @@ -414,6 +417,9 @@
>> AP_INIT_TAKE1("TKTAuthGuestUser", ap_set_string_slot,
>> (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_user),
>> OR_AUTHCFG, "username to use for guest logins"),
>> + AP_INIT_TAKE1("TKTAuthGuestFallback", ap_set_flag_slot,
>> + (void *)APR_OFFSETOF(auth_tkt_dir_conf, guest_fallback),
>> + OR_AUTHCFG, "whether to fall back to guest if an expired ticket is
>> received"),
>> AP_INIT_ITERATE("TKTAuthDebug", set_auth_tkt_debug,
>> (void *)APR_OFFSETOF(auth_tkt_dir_conf, debug),
>> OR_AUTHCFG, "debug level (1-3, higher for more debug output)"),
>> @@ -1096,6 +1102,98 @@
>> return HTTP_TEMPORARY_REDIRECT;
>> }
>>
>> +/* determine the guest username */
>> +static char *
>> +get_guest_uid(request_rec *r, auth_tkt_dir_conf *conf)
>> +{
>> +#ifndef APACHE13
>> + char *guest_user;
>> + int guest_user_length;
>> + apr_uuid_t *uuid;
>> + char *uuid_str, *uuid_length_str;
>> + regex_t *uuid_regex;
>> + regmatch_t regm[UUID_SUBS];
>> + int uuid_length = -1;
>> + char *uuid_pre, *uuid_post;
>> +#endif
>> +
>> + /* no guest user specified via config, use the default */
>> + if (! conf->guest_user) {
>> + return DEFAULT_GUEST_USER;
>> + }
>> +
>> +#ifdef APACHE13
>> + /* We don't support %U under apache1 at this point */
>> + return conf->guest_user;
>> +#else
>> +
>> + /* use UUID if configured */
>> + guest_user = apr_pstrdup(r->pool, conf->guest_user);
>> + uuid_regex = ap_pregcomp(r->pool, "%([0-9]*)U", 0);
>> + if (!ap_regexec(uuid_regex, guest_user, UUID_SUBS, regm, 0)) {
>> + /* Check whether a UUID length was specified */
>> + if (regm[1].rm_so != -1) {
>> + uuid_length_str = ap_pregsub(r->pool, "$1", guest_user,
>> + UUID_SUBS, regm);
>> + if (uuid_length_str)
>> + uuid_length = atoi(uuid_length_str);
>> + }
>> + if (uuid_length <= 0 || uuid_length > APR_UUID_FORMATTED_LENGTH) {
>> + uuid_length = APR_UUID_FORMATTED_LENGTH;
>> + }
>> + if (conf->debug >= 1) {
>> + ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
>> + "TKT: %%U found in guest user (length %d)", uuid_length);
>> + }
>> + /* Generate the UUID */
>> + uuid = apr_palloc(r->pool, sizeof(*uuid));
>> + uuid_str = apr_palloc(r->pool, APR_UUID_FORMATTED_LENGTH + 1);
>> + apr_uuid_get(uuid);
>> + apr_uuid_format(uuid_str, uuid);
>> + if (uuid_length < APR_UUID_FORMATTED_LENGTH)
>> + uuid_str[uuid_length] = '\0';
>> + /* Generate the new guest_user string */
>> + guest_user_length = strlen(guest_user);
>> + if (regm[0].rm_so > 1) {
>> + guest_user[regm[1].rm_so-1] = '\0';
>> + uuid_pre = guest_user;
>> + }
>> + else
>> + uuid_pre = "";
>> + if (regm[0].rm_eo < guest_user_length)
>> + uuid_post = guest_user + regm[0].rm_eo;
>> + else
>> + uuid_post = "";
>> +
>> + return apr_psprintf(r->pool, "%s%s%s",
>> + uuid_pre, uuid_str, uuid_post);
>> + }
>> +
>> + /* Otherwise, it's just a plain username. Return that. */
>> + return conf->guest_user;
>> +#endif /* ! APACHE13 */
>> +
>> +}
>> +
>> +/* Set up the guest user info */
>> +static int
>> +setup_guest(request_rec *r, auth_tkt_dir_conf *conf, auth_tkt *tkt)
>> +{
>> + /* directory must be configured for guest access */
>> + if (conf->guest_login <= 0) {
>> + return 0;
>> + }
>> +
>> + tkt->uid = get_guest_uid(r, conf);
>> + tkt->user_data = "";
>> + tkt->tokens = "";
>> + ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
>> + "TKT: no valid ticket found - accepting as guest user '%s'",
>> + tkt->uid);
>> +
>> + return 1;
>> +}
>> +
>> /*
>> -----------------------------------------------------------------------
>> */
>> /* Debug routines */
>> void
>> @@ -1130,6 +1228,7 @@
>> fprintf(stderr,"TKTAuthGuestLogin: %d\n",
>> conf->guest_login);
>> fprintf(stderr,"TKTAuthGuestCookie: %d\n",
>> conf->guest_cookie);
>> fprintf(stderr,"TKTAuthGuestUser: %s\n",
>> conf->guest_user);
>> + fprintf(stderr,"TKTAuthGuestFallback: %d\n",
>> conf->guest_fallback);
>> if (conf->auth_token->nelts > 0) {
>> char ** auth_token = (char **) conf->auth_token->elts;
>> int i;
>> @@ -1157,16 +1256,6 @@
>> int guest = 0;
>> int timeout;
>> char *url = NULL;
>> -#ifndef APACHE13
>> - char *guest_user;
>> - int guest_user_length;
>> - apr_uuid_t *uuid;
>> - char *uuid_str, *uuid_length_str;
>> - regex_t *uuid_regex;
>> - regmatch_t regm[UUID_SUBS];
>> - int uuid_length = -1;
>> - char *uuid_pre, *uuid_post;
>> -#endif
>>
>> dump_config(r);
>>
>> @@ -1201,66 +1290,7 @@
>> if (! ticket || ! valid_ticket(r, "url", ticket, parsed)) {
>> ticket = get_cookie_ticket(r);
>> if (! ticket || ! valid_ticket(r, "cookie", ticket, parsed)) {
>> - if (conf->guest_login > 0) {
>> - guest = 1;
>> - if (conf->guest_user) {
>> -#ifdef APACHE13
>> - /* We don't support %U under apache1 at this point */
>> - parsed->uid = conf->guest_user;
>> -#else
>> - guest_user = apr_pstrdup(r->pool, conf->guest_user);
>> - uuid_regex = ap_pregcomp(r->pool, "%([0-9]*)U", 0);
>> - if (!ap_regexec(uuid_regex, guest_user, UUID_SUBS, regm, 0))
>> {
>> - /* Check whether a UUID length was specified */
>> - if (regm[1].rm_so != -1) {
>> - uuid_length_str = ap_pregsub(r->pool, "$1", guest_user,
>> - UUID_SUBS, regm);
>> - if (uuid_length_str)
>> - uuid_length = atoi(uuid_length_str);
>> - }
>> - if (uuid_length <= 0 || uuid_length >
>> APR_UUID_FORMATTED_LENGTH) {
>> - uuid_length = APR_UUID_FORMATTED_LENGTH;
>> - }
>> - if (conf->debug >= 1) {
>> - ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
>> - "TKT: %%U found in guest user (length %d)",
>> uuid_length);
>> - }
>> - /* Generate the UUID */
>> - uuid = apr_palloc(r->pool, sizeof(*uuid));
>> - uuid_str = apr_palloc(r->pool, APR_UUID_FORMATTED_LENGTH +
>> 1);
>> - apr_uuid_get(uuid);
>> - apr_uuid_format(uuid_str, uuid);
>> - if (uuid_length < APR_UUID_FORMATTED_LENGTH)
>> - uuid_str[uuid_length] = '\0';
>> - /* Generate the new guest_user string */
>> - guest_user_length = strlen(guest_user);
>> - if (regm[0].rm_so > 1) {
>> - guest_user[regm[1].rm_so-1] = '\0';
>> - uuid_pre = guest_user;
>> - }
>> - else
>> - uuid_pre = "";
>> - if (regm[0].rm_eo < guest_user_length)
>> - uuid_post = guest_user + regm[0].rm_eo;
>> - else
>> - uuid_post = "";
>> - parsed->uid = apr_psprintf(r->pool, "%s%s%s",
>> - uuid_pre, uuid_str, uuid_post);
>> - }
>> - else {
>> - parsed->uid = conf->guest_user;
>> - }
>> -#endif
>> - }
>> - else {
>> - parsed->uid = DEFAULT_GUEST_USER;
>> - }
>> - parsed->user_data = "";
>> - parsed->tokens = "";
>> - ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
>> - "TKT: no valid ticket found - accepting as guest user '%s'",
>> - parsed->uid);
>> - } else {
>> + if (! (guest = setup_guest(r, conf, parsed)) ) {
>> ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
>> "TKT: no valid ticket found - redirecting to login url");
>> return redirect(r, conf->login_url);
>> @@ -1275,14 +1305,22 @@
>>
>> /* Valid ticket, check timeout - redirect/timed-out if so */
>> if (! guest && ! check_timeout(r, parsed)) {
>> - /* Special timeout URL can be defined for POST requests */
>> - if (strcmp(r->method, "POST") == 0 && conf->post_timeout_url) {
>> - url = conf->post_timeout_url;
>> +
>> + /* allow fallback to guest access upon timeout */
>> + if (conf->guest_login > 0 && conf->guest_fallback > 0) {
>> + guest = setup_guest(r, conf, parsed);
>> }
>> - else {
>> - url = conf->timeout_url ? conf->timeout_url : conf->login_url;
>> +
>> + if (!guest) {
>> + /* Special timeout URL can be defined for POST requests */
>> + if (strcmp(r->method, "POST") == 0 && conf->post_timeout_url) {
>> + url = conf->post_timeout_url;
>> + }
>> + else {
>> + url = conf->timeout_url ? conf->timeout_url : conf->login_url;
>> + }
>> + return redirect(r, url);
>> }
>> - return redirect(r, url);
>> }
>>
>> /* If a new guest login and the guest_cookie flag is set, force a
>> cookie refresh */
>>
>> ------------------------------------------------------------------------
>> -
>> Using Tomcat but need to do more? Need to support web services,
>> security?
>> Get stuff done quickly with pre-integrated technology to make your job
>> easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache
>> Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> modauthtkt-users mailing list
>> modauthtkt-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>>
>> -------------------------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services, security?
>> Get stuff done quickly with pre-integrated technology to make your job easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> modauthtkt-users mailing list
>> modauthtkt-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>>
>
--
Charles Bueche <[EMAIL PROTECTED]>
sand, snow, wave, wind and net -surfer
------------------------------
Message: 3
Date: Fri, 8 Sep 2006 09:40:00 -0400
From: "Garrett, Philip \(MAN-Corporate\)" <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Fallback to guest access
To: <modauthtkt-users@lists.sourceforge.net>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
Charles Bueche wrote:
>
>>> Have you had a chance to look at this patch?
>>
>> I have. It looks good, but I'm trying to decide whether we need it
>> to be user configurable at all i.e. maybe this should be the
>> standard behaviour. Can you envisage a situation where falling back
>> to guest is the wrong thing to do?
I'd be afraid to make it the standard behavior mainly just because it
might require changes to existing installations. But with the config
parameter, no changes are required to keep existing behavior.
> When considering security design, the globally accepted best practice
> is default==secure.
I agree with Charles on this point. Better safe than sorry.
Regards,
Philip
------------------------------
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 4, Issue 3
**********************************************
