summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorBradley Nicholes <bnicholes@apache.org>2006-01-14 00:13:22 +0000
committerBradley Nicholes <bnicholes@apache.org>2006-01-14 00:13:22 +0000
commit9b7b82922a9619581b81cf06a62d86cd004383e2 (patch)
tree8c92d554272c35fd716975ea8ee856a567d04f89 /modules
parent81b1938e5b73cf6607f54c7297a51251089a3def (diff)
downloadhttpd-9b7b82922a9619581b81cf06a62d86cd004383e2.tar.gz
Restore Order, Deny, Allow, Satisfy for backwards compatibility with authz
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@368929 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules')
-rw-r--r--modules/aaa/config.m44
-rw-r--r--modules/aaa/mod_auth.h10
-rw-r--r--modules/aaa/mod_authz_core.c34
-rw-r--r--modules/aaa/mod_authz_default.c15
4 files changed, 58 insertions, 5 deletions
diff --git a/modules/aaa/config.m4 b/modules/aaa/config.m4
index f7c01303a4..c809e1a980 100644
--- a/modules/aaa/config.m4
+++ b/modules/aaa/config.m4
@@ -48,6 +48,10 @@ dnl - and just in case all of the above punt; a default handler to
dnl keep the bad guys out.
APACHE_MODULE(authz_default, authorization control backstopper, , , yes)
+dnl - and just in case all of the above punt; a default handler to
+dnl keep the bad guys out.
+APACHE_MODULE(access_compat, mod_access compatibility, , , most)
+
dnl these are the front-end authentication modules
APACHE_MODULE(auth_basic, basic authentication, , , yes)
diff --git a/modules/aaa/mod_auth.h b/modules/aaa/mod_auth.h
index 0a413946e2..e8bc229444 100644
--- a/modules/aaa/mod_auth.h
+++ b/modules/aaa/mod_auth.h
@@ -42,6 +42,16 @@ extern "C" {
#define AUTHZ_GROUP_NOTE "authz_group_note"
#define AUTHN_PROVIDER_NAME_NOTE "authn_provider_name"
#define AUTHZ_PROVIDER_NAME_NOTE "authz_provider_name"
+#define AUTHZ_ACCESS_PASSED_NOTE "authz_access_passed"
+
+/** all of the requirements must be met */
+#define SATISFY_ALL 0
+/** any of the requirements must be met */
+#define SATISFY_ANY 1
+/** There are no applicable satisfy lines */
+#define SATISFY_NOSPEC 2
+
+APR_DECLARE_OPTIONAL_FN(int, ap_satisfies, (request_rec *r));
typedef enum {
AUTH_DENIED,
diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c
index b3493ac4f7..db3453d57b 100644
--- a/modules/aaa/mod_authz_core.c
+++ b/modules/aaa/mod_authz_core.c
@@ -101,6 +101,8 @@ typedef struct {
authz_provider_list *providers;
authz_request_state req_state;
int req_state_level;
+// int some_authz;
+// char *path;
} authz_core_dir_conf;
typedef struct authz_core_srv_conf {
@@ -117,6 +119,7 @@ static void *create_authz_core_dir_config(apr_pool_t *p, char *dummy)
conf->req_state = AUTHZ_REQSTATE_ONE;
conf->req_state_level = 0;
+// conf->some_authz = -1;
return (void *)conf;
}
@@ -131,7 +134,9 @@ static void *merge_authz_core_dir_config(apr_pool_t *a, void *basev, void *newv)
* (or creating copies for merging) where new-> values exist.
*/
conf = (authz_core_dir_conf *)apr_palloc(a, sizeof(authz_core_dir_conf));
- memcpy(conf, base, sizeof(authz_core_dir_conf));
+ memcpy(conf, new, sizeof(authz_core_dir_conf));
+
+ conf->some_authz = base->some_authz == -1 ? 0:base->some_authz == 0 ? 0:new->some_authz;
return (void*)conf;
}
@@ -155,6 +160,9 @@ static const char *add_authz_provider(cmd_parms *cmd, void *config,
authz_provider_list *newp;
const char *t, *w;
+// conf->some_authz = 1;
+// conf->path = apr_pstrdup(cmd->pool, cmd->path);
+
newp = apr_pcalloc(cmd->pool, sizeof(authz_provider_list));
t = arg;
@@ -583,12 +591,17 @@ static authz_status check_provider_list (request_rec *r, authz_provider_list *cu
return auth_result;
}
+APR_OPTIONAL_FN_TYPE(ap_satisfies) *ap_satisfies;
+
static int authorize_user(request_rec *r)
{
authz_core_dir_conf *conf = ap_get_module_config(r->per_dir_config,
&authz_core_module);
authz_status auth_result;
authz_provider_list *current_provider;
+ const char *note = apr_table_get(r->notes, AUTHZ_ACCESS_PASSED_NOTE);
+
+ ap_satisfies = APR_RETRIEVE_OPTIONAL_FN(ap_satisfies);
/* If we're not really configured for providers, stop now. */
if (!conf->providers) {
@@ -606,10 +619,21 @@ static int authorize_user(request_rec *r)
switch (auth_result) {
case AUTHZ_DENIED:
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "user %s: authorization failure for \"%s\": ",
- r->user, r->uri);
- return_code = HTTP_UNAUTHORIZED;
+ /* XXX If the deprecated Satisfy directive is set to Any and
+ authorization as denied, then check to see what
+ the access control stage said. Just the if statement
+ should be removed in 3.0 when the Satisfy directive
+ goes away. */
+// if (!note || ((note[0] == 'N') && (ap_satisfies(r) != SATISFY_ANY))) {
+ if (!note || (ap_satisfies(r) != SATISFY_ANY) || (note[0] == 'N')) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "user %s: authorization failure for \"%s\": ",
+ r->user, r->uri);
+ return_code = HTTP_UNAUTHORIZED;
+ }
+ else {
+ return_code = DECLINED;
+ }
break;
case AUTHZ_GENERAL_ERROR:
default:
diff --git a/modules/aaa/mod_authz_default.c b/modules/aaa/mod_authz_default.c
index 8a4712278b..4d06c5341b 100644
--- a/modules/aaa/mod_authz_default.c
+++ b/modules/aaa/mod_authz_default.c
@@ -25,6 +25,9 @@
#include "http_protocol.h"
#include "http_request.h"
+#include "mod_auth.h"
+
+
typedef struct {
int authoritative;
} authz_default_config_rec;
@@ -49,10 +52,22 @@ static const command_rec authz_default_cmds[] =
module AP_MODULE_DECLARE_DATA authz_default_module;
+APR_OPTIONAL_FN_TYPE(ap_satisfies) *ap_satisfies;
+
static int check_user_access(request_rec *r)
{
authz_default_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_default_module);
+ const char *note = apr_table_get(r->notes, AUTHZ_ACCESS_PASSED_NOTE);
+
+ ap_satisfies = APR_RETRIEVE_OPTIONAL_FN(ap_satisfies);
+
+ /* If we got here and there isn't any authz required and there is no
+ note from the access checker that it failed, assume access is OK */
+ if (!ap_some_auth_required(r) ||
+ (note && (note[0] == 'Y') && (ap_satisfies(r) == SATISFY_ANY))) {
+ return OK;
+ }
if (!(conf->authoritative)) {
return DECLINED;
View Lorry Controller Status