The approach for allowing authorization by user or IP introduced in r956387,

etc. causes problems because the authentication module calls note_*_auth_failure if authentication fails. This is inappropriate if access is later allowed because of the IP. So, instead of calling the auth_checker hook even if authentication failed, we introduce a new access_checker_ex hook that runs between the access_checker and the check_user_id hooks. If an access_checker_ex functions returns OK, the request will be allowed without authentication. To make use of this, change mod_authz_core to walk the require blocks in the access_checker_ex phase and deny/allow the request if the authz result does not depend on an authenticated user. To distinguish a real AUTHZ_DENIED from an authz provider from an authz provider needing an authenticated user, the latter must return the new AUTHZ_DENIED_NO_USER code. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@964156 13f79535-47bb-0310-9956-ffa450edef68
2025-08-10 02:56:11 +00:00 · 2010-07-14 19:59:31 +00:00
parent ed67c11e05
commit f14218c7ad
13 changed files with 196 additions and 111 deletions
--- a/include/http_request.h
+++ b/include/http_request.h
@ -419,6 +419,20 @@ AP_DECLARE_HOOK(int,type_checker,(request_rec *r))
 */
 AP_DECLARE_HOOK(int,access_checker,(request_rec *r))

+/**
+ * This hook is used to apply additional access control and/or bypass
+ * authentication for this resource. It runs *before* a user is authenticated,
+ * but after the auth_checker hook.
+ * This hook should be registered with ap_hook_check_access_ex().
+ *
+ * @param r the current request
+ * @return OK (allow acces), DECLINED (let later modules decide),
+ *         or HTTP_... (deny access)
+ * @ingroup hooks
+ * @see ap_hook_check_access_ex
+ */
+AP_DECLARE_HOOK(int,access_checker_ex,(request_rec *r))
+
 /**
 * This hook is used to check to see if the resource being requested
 * is available for the authenticated user (r->user and r->ap_auth_type).
@ -452,6 +466,25 @@ AP_DECLARE(void) ap_hook_check_access(ap_HOOK_access_checker_t *pf,
                                      const char * const *aszSucc,
                                      int nOrder, int type);

+/**
+ * Register a hook function that will apply additional access control 
+ * and/or bypass authentication for the current request.
+ * @param pf An access_checker_ex hook function
+ * @param aszPre A NULL-terminated array of strings that name modules whose
+ *               hooks should precede this one
+ * @param aszSucc A NULL-terminated array of strings that name modules whose
+ *                hooks should succeed this one
+ * @param nOrder An integer determining order before honouring aszPre and
+ *               aszSucc (for example, HOOK_MIDDLE)
+ * @param type Internal request processing mode, either
+ *             AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF
+ */
+AP_DECLARE(void) ap_hook_check_access_ex(ap_HOOK_access_checker_ex_t *pf,
+                                         const char * const *aszPre,
+                                         const char * const *aszSucc,
+                                         int nOrder, int type);
+
+
 /**
 * Register a hook function that will analyze the request headers,
 * authenticate the user, and set the user information in the request record.