diff options
| author | Joe Orton <jorton@apache.org> | 2005-02-10 18:28:43 +0000 |
|---|---|---|
| committer | Joe Orton <jorton@apache.org> | 2005-02-10 18:28:43 +0000 |
| commit | b6783729dcab8492d9b45cf5e4cb8d6438e61781 (patch) | |
| tree | 957dd7897424c4ef4f9ff7fee268addbb467d756 | |
| parent | aa4ad00feab5fa0a2d7f205602752b83364a57d6 (diff) | |
| download | httpd-b6783729dcab8492d9b45cf5e4cb8d6438e61781.tar.gz | |
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Move the
SSLUsername-controlled assignment of r->user above the SSLRequire
checks so that the "username" gets logged if SSLRequire denies access.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@153280 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | ssl_engine_kernel.c | 28 |
1 files changed, 14 insertions, 14 deletions
diff --git a/ssl_engine_kernel.c b/ssl_engine_kernel.c index 349d9b1f8b..009ad76a7e 100644 --- a/ssl_engine_kernel.c +++ b/ssl_engine_kernel.c @@ -751,6 +751,20 @@ int ssl_hook_Access(request_rec *r) } } + /* If we're trying to have the user name set from a client + * certificate then we need to set it here. This should be safe as + * the user name probably isn't important from an auth checking point + * of view as the certificate supplied acts in that capacity. + * However, if FakeAuth is being used then this isn't the case so + * we need to postpone setting the username until later. + */ + if ((dc->nOptions & SSL_OPT_FAKEBASICAUTH) == 0 && dc->szUserName) { + char *val = ssl_var_lookup(r->pool, r->server, r->connection, + r, (char *)dc->szUserName); + if (val && val[0]) + r->user = val; + } + /* * Check SSLRequire boolean expressions */ @@ -799,20 +813,6 @@ int ssl_hook_Access(request_rec *r) } } - /* If we're trying to have the user name set from a client - * certificate then we need to set it here. This should be safe as - * the user name probably isn't important from an auth checking point - * of view as the certificate supplied acts in that capacity. - * However, if FakeAuth is being used then this isn't the case so - * we need to postpone setting the username until later. - */ - if ((dc->nOptions & SSL_OPT_FAKEBASICAUTH) == 0 && dc->szUserName) { - char *val = ssl_var_lookup(r->pool, r->server, r->connection, - r, (char *)dc->szUserName); - if (val && val[0]) - r->user = val; - } - /* * Else access is granted from our point of view (except vendor * handlers override). But we have to return DECLINED here instead |