mirror of
https://github.com/apache/httpd.git
synced 2025-08-03 16:33:59 +00:00
84687933eb
directives had no matching AuthType and associated authentication directives, requests would generally fall through in the check_user_id hook to mod_authn_default.c's authentication_no_user() handler, which returned DECLINED if ap_auth_type() was not set. The ap_process_request_internal() function in request.c would handle this case by logging an "AuthType not set!" error and returning HTTP_INTERNAL_SERVER_ERROR. The refactoring removes this error handling in request.c, so individual modules will need to test for a lack of authentication, as necessary. Since some modules such as mod_authz_host.c support Require directives that do not need any authentication, the mod_authn_default.c handler no longer returns DECLINED if ap_auth_type() is not set. (Also, mod_authn_default can be compiled out with --disable-authn-default, so it can't be relied upon to exist.) Since r->user may now be NULL, individual handlers must test for that case when necessary. Otherwise, most Require directives in the absence of AuthType directives cause handlers to crash while performing strcmp() and friends on a NULL r->user value. NOTE: I can't test mod_authnz_ldap.c myself, so I'm not sure if it needs similar fixes. On the one hand, a NULL r->user in the authz handlers always generates a log message. However, it appears that authn_ldap_build_filter() will sometimes then be called, perform no action, which may result in a possibly uninitialized filtbuf buffer being passed to util_ldap_cache_getuserdn(). I don't know if that could cause problems in the LDAP cache code. If someone familiar with LDAP authz could take a look, that would be much appreciated. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@705361 13f79535-47bb-0310-9956-ffa450edef68
115 lines
3.5 KiB
C
115 lines
3.5 KiB
C
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
* contributor license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright ownership.
|
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
* (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#include "apr_strings.h"
|
|
|
|
#include "ap_config.h"
|
|
#include "ap_provider.h"
|
|
#include "httpd.h"
|
|
#include "http_config.h"
|
|
#include "http_core.h"
|
|
#include "http_log.h"
|
|
#include "http_protocol.h"
|
|
#include "http_request.h"
|
|
|
|
#include "mod_auth.h"
|
|
|
|
typedef struct {
|
|
int dummy; /* just here to stop compiler warnings for now. */
|
|
} authz_user_config_rec;
|
|
|
|
static void *create_authz_user_dir_config(apr_pool_t *p, char *d)
|
|
{
|
|
authz_user_config_rec *conf = apr_palloc(p, sizeof(*conf));
|
|
|
|
return conf;
|
|
}
|
|
|
|
static const command_rec authz_user_cmds[] =
|
|
{
|
|
{NULL}
|
|
};
|
|
|
|
module AP_MODULE_DECLARE_DATA authz_user_module;
|
|
|
|
static authz_status user_check_authorization(request_rec *r,
|
|
const char *require_args)
|
|
{
|
|
const char *t, *w;
|
|
|
|
if (!r->user) {
|
|
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
|
"access to %s failed, reason: no authenticated user", r->uri);
|
|
return AUTHZ_DENIED;
|
|
}
|
|
|
|
t = require_args;
|
|
while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
|
|
if (!strcmp(r->user, w)) {
|
|
return AUTHZ_GRANTED;
|
|
}
|
|
}
|
|
|
|
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
|
"access to %s failed, reason: user '%s' does not meet "
|
|
"'require'ments for user to be allowed access",
|
|
r->uri, r->user);
|
|
|
|
return AUTHZ_DENIED;
|
|
}
|
|
|
|
static authz_status validuser_check_authorization(request_rec *r, const char *require_line)
|
|
{
|
|
if (!r->user) {
|
|
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
|
|
"access to %s failed, reason: no authenticated user", r->uri);
|
|
return AUTHZ_DENIED;
|
|
}
|
|
|
|
return AUTHZ_GRANTED;
|
|
}
|
|
|
|
static const authz_provider authz_user_provider =
|
|
{
|
|
&user_check_authorization,
|
|
};
|
|
static const authz_provider authz_validuser_provider =
|
|
{
|
|
&validuser_check_authorization,
|
|
};
|
|
|
|
static void register_hooks(apr_pool_t *p)
|
|
{
|
|
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "user",
|
|
AUTHZ_PROVIDER_VERSION,
|
|
&authz_user_provider, AP_AUTH_INTERNAL_PER_CONF);
|
|
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "valid-user",
|
|
AUTHZ_PROVIDER_VERSION,
|
|
&authz_validuser_provider,
|
|
AP_AUTH_INTERNAL_PER_CONF);
|
|
}
|
|
|
|
module AP_MODULE_DECLARE_DATA authz_user_module =
|
|
{
|
|
STANDARD20_MODULE_STUFF,
|
|
create_authz_user_dir_config, /* dir config creater */
|
|
NULL, /* dir merger --- default is to override */
|
|
NULL, /* server config */
|
|
NULL, /* merge server config */
|
|
authz_user_cmds, /* command apr_table_t */
|
|
register_hooks /* register hooks */
|
|
};
|