---- Sorin Manolache <sor...@gmail.com> wrote:
> On 2012-06-26 22:17, oh...@cox.net wrote:
> >
> > ---- Sorin Manolache<sor...@gmail.com> wrote:
> >> On 2012-06-26 19:56, oh...@cox.net wrote:
> >>>>> You cannot wait until mod_ssl runs its fixups, you have to hook one of
> >>>>> the hooks that execute earlier than webgate's check_user_id or
> >>>>> auth_checker. (You have to hook one of the hooks (1)-(4).) There, in
> >>>>> your hook, you have to get yourself the values of the server
> >>>>> certificates, client certificate, etc, everything that mod_ssl would
> >>>>> have given you, but too late.
> >>> "
> >>>
> >>> I guess that what I'm seeing is exactly what you said would happen, i.e.,
> >>> my check_user_id hook function is being called, but none of the SSL vars
> >>> are populated (since, as you said mod_ssl doesn't populate them until the
> >>> fixup phase).
> >>>
> >>> What mechanisms/methods could I use to get those SSL vars ("you have to
> >>> get yourself the values of the server certificates, client certificate,
> >>> etc, ") at this point?
> >>
> >> I don't know, unfortunately. Have a look at the sources
> >> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl
> >> does it.
> >>
> >> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c.
> >> Maybe you can use it in check_user_id already.
> >>
> >> Sorin
> >
> >
> > Sorin,
> >
> > THANKS for that pointer to ssl_var_lookup.
> >
> > As a very small payback (VERY small) for your help (and others), and for
> > the record, I put the following code (assembled from various places) in the
> > ap_headers_early, and it seems to work "somewhat")
> >
> >
> > static apr_status_t ap_headers_early(request_rec *r)
> > {
> >
> > printf("In ap_headers_early\n");
> >
> > printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");
> >
> > typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*,
> > request_rec*, char*);
> >
> > ssl_var_lookup_t ssl_var_lookup = 0;
> >
> > ssl_var_lookup =
> > (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");
> >
> > const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r,
> > "SSL_CLIENT_CERT");
> >
> > printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);
> > .
> > .
> >
> > and it seems to work perfectly!!
> >
> >
> > Do you think that such calls would work in ANY hook? In other words, would
> > I be at my leisure to use that in ANY of the module hooks?
>
> No, it won't work in any hook, in my opinion. The availability of the
> data depends on the phase (hook) in which you run the ssl_var_lookup.
>
> I think, though I'm not sure, that the data are gathered in the
> post_read_request hook. If so, ssl_var_lookup would work in any hook
> that is called after post_read_request.
>
> ap_headers_early is run in post_read_request. My intuition is that
> putting your code there is slightly too early. This is because the
> directory-wide configuration of the request is not yet correctly set in
> this phase and URL rewrite rules have not yet been applied, although I
> don't know if this would affect your functionality.
>
> I'd put the code either in header_parser or in check_user_id and I'd try
> to make sure that my check_user_id is run before webgate's check_user_id.
>
> I'd go for header_parser as it is always run for main requests.
> check_user_id is run only when some conditions are satisfied (check the
> ap_process_request_internal in server/request.c).
>
> If you go for check_user_id, make sure that it is run before Oracle's
> check_user_id. In order to do so, you can use APR_HOOK_FIRST
> (ap_hook_check_user_id(&my_check_user_id, NULL, NULL, APR_HOOK_FIRST)),
> or you can use something like
>
> static const char *successor[] = {nameoftheoraclesourcefile, NULL};
> ap_hook_check_user_id(&my_check_user_id, NULL, successor, APR_HOOK_MIDDLE);
>
> (See how mod_ssl places its post_read_request _after_ mod_setenvif's in
> modules/ssl/mod_ssl.c)
>
> Also, I would not change mod_headers, I would write my own module in
> which I'd place my header_parser hook.
>
> Sorin
Hi Sorin,
FYI, it looks like that ssl_var_lookup() call DOES work, even in the
post_read_request/ap_headers_early hook!!
I moved the code that I had before in the insert_header hook to the
post_read_request hook, then modified it to do the ssl_var_lookup() call to get
the SSL_CLIENT_CERT PEM rather than getting it from r->subprocess_env.
I didn't describe what I'm trying to do clearly earlier with this module, but
basically, with my module, I'm trying to intercept the Apache request
processing and, in my module, get a SSO-type cookie/token that, normally, the
webgate looks for to determine if the user has been previously authenticated,
and inject that cookie into the request.
Right now, as I said, my code is in the post_read_request hook, and it's
working (thanks in large part to your help!), but only to a point. It's able
to get the cookie, and inject it into the request, and then, I *think* the
webgate is doing its processing.
The problem I'm now having is that I end up getting 403/Forbidden response from
Apache after all of that. I'm not quite sure why yet.
If I disable the webgate, everything works ok.
Also, this is a prototype. My intention is that if I can get it working, I'd
implement a new module from scratch, as you recommended, but I need to get this
prototype working first, I think....
Thanks,
Jim
