Fix handling of authz configurations, make default authz logic replicate

2.2.x authz logic and support existing configurations (including .htaccess files), and replace <Satisfy*>, Reject, and AuthzMergeRules directives with Match, <Match*>, and AuthzMerge directives. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@709838 13f79535-47bb-0310-9956-ffa450edef68
2025-08-06 11:06:17 +00:00 · 2008-11-02 04:01:32 +00:00
parent 54a737b120
commit fa0fdfa2fc
6 changed files with 486 additions and 556 deletions
--- a/5
+++ b/5
@ -2,6 +2,11 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]

+  *) authz: Fix handling of authz configurations, make default authz
+     logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject,
+     and AuthzMergeRules directives with Match, <Match*>, and AuthzMerge
+     directives.  [Chris Darroch]
+
  *) mod_proxy_ajp: Do not fail if response data is sent before all request
     data is read. PR 45911 [Ruediger Pluem]

--- a/include/ap_mmn.h
+++ b/include/ap_mmn.h
@ -172,13 +172,15 @@
 * 20080920.1 (2.3.0-dev)  Export mod_rewrite.h in the public API.
 * 20080920.2 (2.3.0-dev)  Added ap_timeout_parameter_parse to util.c / httpd.h
 * 20081101.0 (2.3.0-dev)  Remove unused AUTHZ_GROUP_NOTE define.
+ * 20081102.0 (2.3.0-dev)  Remove authz_provider_list, authz_request_state,
+ *                         and AUTHZ_ACCESS_PASSED_NOTE.
 *
 */

 #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */

 #ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20081101
+#define MODULE_MAGIC_NUMBER_MAJOR 20081102
 #endif
 #define MODULE_MAGIC_NUMBER_MINOR 0                     /* 0...n */

--- a/include/mod_auth.h
+++ b/include/mod_auth.h
@ -44,7 +44,6 @@ extern "C" {

 #define AUTHN_PROVIDER_NAME_NOTE "authn_provider_name"
 #define AUTHZ_PROVIDER_NAME_NOTE "authz_provider_name"
-#define AUTHZ_ACCESS_PASSED_NOTE "authz_access_passed"

 #define AUTHN_PREFIX "AUTHENTICATE_"

@ -72,15 +71,10 @@ typedef enum {
 typedef enum {
    AUTHZ_DENIED,
    AUTHZ_GRANTED,
-    AUTHZ_GENERAL_ERROR,
-    AUTHZ_NEUTRAL
+    AUTHZ_NEUTRAL,
+    AUTHZ_GENERAL_ERROR
 } authz_status;

-typedef enum {
-    AUTHZ_REQSTATE_ONE,
-    AUTHZ_REQSTATE_ALL
-} authz_request_state;
-
 typedef struct {
    /* Given a username and password, expected to return AUTH_GRANTED
     * if we can validate this user/password combination.
@ -112,23 +106,6 @@ typedef struct {
                                        const char *require_line);
 } authz_provider;

-/* A linked-list of authn providers. */
-typedef struct authz_provider_list authz_provider_list;
-
-struct authz_provider_list {
-    const char *provider_name;
-    const authz_provider *provider;
-    authz_provider_list *one_next;
-    authz_provider_list *all_next;
-    /** If a Limit method is in effect, this field will be set */
-    apr_int64_t method_mask;
-    authz_request_state req_state;
-    int req_state_level;
-    /** String following 'require <provider>' from config file */
-    char *requirement;
-    int is_reject;
-};
-
 #ifdef __cplusplus
 }
 #endif
--- a/modules/aaa/mod_access_compat.c
+++ b/modules/aaa/mod_access_compat.c
@ -349,18 +349,6 @@ static int check_dir_access(request_rec *r)
        }
    }

-    if (ret == OK) {
-        apr_table_setn(r->notes, AUTHZ_ACCESS_PASSED_NOTE, "Y");
-    }
-    else {
-        apr_table_setn(r->notes, AUTHZ_ACCESS_PASSED_NOTE, "N");
-        /* If Satisfy is not Any and authorization is required, then 
-           defer to the authorization stage */
-        if ((access_compat_ap_satisfies(r) != SATISFY_ANY) && ap_some_auth_required(r)) {
-            ret = OK;
-        }
-    }
-
    if (ret == HTTP_FORBIDDEN) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                      "client denied by server configuration: %s%s",
--- a/modules/aaa/mod_authz_core.c
+++ b/modules/aaa/mod_authz_core.c
--- a/modules/aaa/mod_authz_default.c
+++ b/modules/aaa/mod_authz_default.c
@ -56,12 +56,6 @@ static int check_user_access(request_rec *r)
 {
    authz_default_config_rec *conf = ap_get_module_config(r->per_dir_config,
                                                 &authz_default_module);
-    const char *note = apr_table_get(r->notes, AUTHZ_ACCESS_PASSED_NOTE);
-
-    /* If we got here and access checker passed, assume access is OK */
-    if (note && (note[0] == 'Y') && (ap_satisfies(r) == SATISFY_ANY)) {
-        return OK;
-    }

    /* If we got here and there isn't any authz required, assume access is OK */
    if (!ap_some_auth_required(r)) {