1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #include "apr_strings.h"
18 #include "apr_lib.h" /* for apr_isspace */
19 #include "apr_base64.h" /* for apr_base64_decode et al */
20 #define APR_WANT_STRFUNC /* for strcasecmp */
23 #include "ap_config.h"
25 #include "http_config.h"
26 #include "http_core.h"
28 #include "http_protocol.h"
29 #include "http_request.h"
30 #include "ap_provider.h"
35 #include "mod_session.h"
36 #include "mod_request.h"
38 #define FORM_LOGIN_HANDLER "form-login-handler"
39 #define FORM_LOGOUT_HANDLER "form-logout-handler"
40 #define FORM_REDIRECT_HANDLER "form-redirect-handler"
41 #define MOD_AUTH_FORM_HASH "site"
43 static APR_OPTIONAL_FN_TYPE(ap_session_load) *ap_session_load_fn = NULL;
44 static APR_OPTIONAL_FN_TYPE(ap_session_get) *ap_session_get_fn = NULL;
45 static APR_OPTIONAL_FN_TYPE(ap_session_set) *ap_session_set_fn = NULL;
47 static void (*ap_request_insert_filter_fn) (request_rec * r) = NULL;
48 static void (*ap_request_remove_filter_fn) (request_rec * r) = NULL;
51 authn_provider_list *providers;
54 int authoritative_set;
64 int fakebasicauth_set;
74 int disable_no_store_set;
75 ap_expr_info_t *loginsuccess;
77 ap_expr_info_t *loginrequired;
78 int loginrequired_set;
79 ap_expr_info_t *logout;
81 } auth_form_config_rec;
83 static void *create_auth_form_dir_config(apr_pool_t * p, char *d)
85 auth_form_config_rec *conf = apr_pcalloc(p, sizeof(*conf));
88 /* Any failures are fatal. */
89 conf->authoritative = 1;
91 /* form size defaults to 8k */
92 conf->form_size = HUGE_STRING_LEN;
94 /* default form field names */
95 conf->username = "httpd_username";
96 conf->password = "httpd_password";
97 conf->location = "httpd_location";
98 conf->method = "httpd_method";
99 conf->mimetype = "httpd_mimetype";
100 conf->body = "httpd_body";
105 static void *merge_auth_form_dir_config(apr_pool_t * p, void *basev, void *addv)
107 auth_form_config_rec *new = (auth_form_config_rec *) apr_pcalloc(p, sizeof(auth_form_config_rec));
108 auth_form_config_rec *add = (auth_form_config_rec *) addv;
109 auth_form_config_rec *base = (auth_form_config_rec *) basev;
111 new->providers = !add->providers ? base->providers : add->providers;
112 new->authoritative = (add->authoritative_set == 0) ? base->authoritative : add->authoritative;
113 new->authoritative_set = add->authoritative_set || base->authoritative_set;
114 new->site = (add->site_set == 0) ? base->site : add->site;
115 new->site_set = add->site_set || base->site_set;
116 new->username = (add->username_set == 0) ? base->username : add->username;
117 new->username_set = add->username_set || base->username_set;
118 new->password = (add->password_set == 0) ? base->password : add->password;
119 new->password_set = add->password_set || base->password_set;
120 new->location = (add->location_set == 0) ? base->location : add->location;
121 new->location_set = add->location_set || base->location_set;
122 new->form_size = (add->form_size_set == 0) ? base->form_size : add->form_size;
123 new->form_size_set = add->form_size_set || base->form_size_set;
124 new->fakebasicauth = (add->fakebasicauth_set == 0) ? base->fakebasicauth : add->fakebasicauth;
125 new->fakebasicauth_set = add->fakebasicauth_set || base->fakebasicauth_set;
126 new->method = (add->method_set == 0) ? base->method : add->method;
127 new->method_set = add->method_set || base->method_set;
128 new->mimetype = (add->mimetype_set == 0) ? base->mimetype : add->mimetype;
129 new->mimetype_set = add->mimetype_set || base->mimetype_set;
130 new->body = (add->body_set == 0) ? base->body : add->body;
131 new->body_set = add->body_set || base->body_set;
132 new->disable_no_store = (add->disable_no_store_set == 0) ? base->disable_no_store : add->disable_no_store;
133 new->disable_no_store_set = add->disable_no_store_set || base->disable_no_store_set;
134 new->loginsuccess = (add->loginsuccess_set == 0) ? base->loginsuccess : add->loginsuccess;
135 new->loginsuccess_set = add->loginsuccess_set || base->loginsuccess_set;
136 new->loginrequired = (add->loginrequired_set == 0) ? base->loginrequired : add->loginrequired;
137 new->loginrequired_set = add->loginrequired_set || base->loginrequired_set;
138 new->logout = (add->logout_set == 0) ? base->logout : add->logout;
139 new->logout_set = add->logout_set || base->logout_set;
144 static const char *add_authn_provider(cmd_parms * cmd, void *config,
147 auth_form_config_rec *conf = (auth_form_config_rec *) config;
148 authn_provider_list *newp;
150 newp = apr_pcalloc(cmd->pool, sizeof(authn_provider_list));
151 newp->provider_name = arg;
153 /* lookup and cache the actual provider now */
154 newp->provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP,
156 AUTHN_PROVIDER_VERSION);
158 if (newp->provider == NULL) {
160 * by the time they use it, the provider should be loaded and
161 * registered with us.
163 return apr_psprintf(cmd->pool,
164 "Unknown Authn provider: %s",
165 newp->provider_name);
168 if (!newp->provider->check_password) {
169 /* if it doesn't provide the appropriate function, reject it */
170 return apr_psprintf(cmd->pool,
171 "The '%s' Authn provider doesn't support "
172 "Form Authentication", newp->provider_name);
175 /* Add it to the list now. */
176 if (!conf->providers) {
177 conf->providers = newp;
180 authn_provider_list *last = conf->providers;
192 * Sanity check a given string that it exists, is not empty,
193 * and does not contain special characters.
195 static const char *check_string(cmd_parms * cmd, const char *string)
197 if (!string || !*string || ap_strchr_c(string, '=') || ap_strchr_c(string, '&')) {
198 return apr_pstrcat(cmd->pool, cmd->directive->directive,
199 " cannot be empty, or contain '=' or '&'.",
205 static const char *set_cookie_form_location(cmd_parms * cmd, void *config, const char *location)
207 auth_form_config_rec *conf = (auth_form_config_rec *) config;
208 conf->location = location;
209 conf->location_set = 1;
210 return check_string(cmd, location);
213 static const char *set_cookie_form_username(cmd_parms * cmd, void *config, const char *username)
215 auth_form_config_rec *conf = (auth_form_config_rec *) config;
216 conf->username = username;
217 conf->username_set = 1;
218 return check_string(cmd, username);
221 static const char *set_cookie_form_password(cmd_parms * cmd, void *config, const char *password)
223 auth_form_config_rec *conf = (auth_form_config_rec *) config;
224 conf->password = password;
225 conf->password_set = 1;
226 return check_string(cmd, password);
229 static const char *set_cookie_form_method(cmd_parms * cmd, void *config, const char *method)
231 auth_form_config_rec *conf = (auth_form_config_rec *) config;
232 conf->method = method;
233 conf->method_set = 1;
234 return check_string(cmd, method);
237 static const char *set_cookie_form_mimetype(cmd_parms * cmd, void *config, const char *mimetype)
239 auth_form_config_rec *conf = (auth_form_config_rec *) config;
240 conf->mimetype = mimetype;
241 conf->mimetype_set = 1;
242 return check_string(cmd, mimetype);
245 static const char *set_cookie_form_body(cmd_parms * cmd, void *config, const char *body)
247 auth_form_config_rec *conf = (auth_form_config_rec *) config;
250 return check_string(cmd, body);
253 static const char *set_cookie_form_size(cmd_parms * cmd, void *config,
256 auth_form_config_rec *conf = config;
259 if (APR_SUCCESS != apr_strtoff(&size, arg, NULL, 10)
260 || size < 0 || size > APR_SIZE_MAX) {
261 return "AuthCookieFormSize must be a size in bytes, or zero.";
263 conf->form_size = (apr_size_t)size;
264 conf->form_size_set = 1;
269 static const char *set_login_required_location(cmd_parms * cmd, void *config, const char *loginrequired)
271 auth_form_config_rec *conf = (auth_form_config_rec *) config;
274 conf->loginrequired = ap_expr_parse_cmd(cmd, loginrequired, AP_EXPR_FLAG_STRING_RESULT,
277 return apr_psprintf(cmd->pool,
278 "Could not parse login required expression '%s': %s",
281 conf->loginrequired_set = 1;
286 static const char *set_login_success_location(cmd_parms * cmd, void *config, const char *loginsuccess)
288 auth_form_config_rec *conf = (auth_form_config_rec *) config;
291 conf->loginsuccess = ap_expr_parse_cmd(cmd, loginsuccess, AP_EXPR_FLAG_STRING_RESULT,
294 return apr_psprintf(cmd->pool,
295 "Could not parse login success expression '%s': %s",
298 conf->loginsuccess_set = 1;
303 static const char *set_logout_location(cmd_parms * cmd, void *config, const char *logout)
305 auth_form_config_rec *conf = (auth_form_config_rec *) config;
308 conf->logout = ap_expr_parse_cmd(cmd, logout, AP_EXPR_FLAG_STRING_RESULT,
311 return apr_psprintf(cmd->pool,
312 "Could not parse logout required expression '%s': %s",
315 conf->logout_set = 1;
320 static const char *set_site_passphrase(cmd_parms * cmd, void *config, const char *site)
322 auth_form_config_rec *conf = (auth_form_config_rec *) config;
328 static const char *set_authoritative(cmd_parms * cmd, void *config, int flag)
330 auth_form_config_rec *conf = (auth_form_config_rec *) config;
331 conf->authoritative = flag;
332 conf->authoritative_set = 1;
336 static const char *set_fake_basic_auth(cmd_parms * cmd, void *config, int flag)
338 auth_form_config_rec *conf = (auth_form_config_rec *) config;
339 conf->fakebasicauth = flag;
340 conf->fakebasicauth_set = 1;
344 static const char *set_disable_no_store(cmd_parms * cmd, void *config, int flag)
346 auth_form_config_rec *conf = (auth_form_config_rec *) config;
347 conf->disable_no_store = flag;
348 conf->disable_no_store_set = 1;
352 static const command_rec auth_form_cmds[] =
354 AP_INIT_ITERATE("AuthFormProvider", add_authn_provider, NULL, OR_AUTHCFG,
355 "specify the auth providers for a directory or location"),
356 AP_INIT_TAKE1("AuthFormUsername", set_cookie_form_username, NULL, OR_AUTHCFG,
357 "The field of the login form carrying the username"),
358 AP_INIT_TAKE1("AuthFormPassword", set_cookie_form_password, NULL, OR_AUTHCFG,
359 "The field of the login form carrying the password"),
360 AP_INIT_TAKE1("AuthFormLocation", set_cookie_form_location, NULL, OR_AUTHCFG,
361 "The field of the login form carrying the URL to redirect on "
362 "successful login."),
363 AP_INIT_TAKE1("AuthFormMethod", set_cookie_form_method, NULL, OR_AUTHCFG,
364 "The field of the login form carrying the original request method."),
365 AP_INIT_TAKE1("AuthFormMimetype", set_cookie_form_mimetype, NULL, OR_AUTHCFG,
366 "The field of the login form carrying the original request mimetype."),
367 AP_INIT_TAKE1("AuthFormBody", set_cookie_form_body, NULL, OR_AUTHCFG,
368 "The field of the login form carrying the urlencoded original request "
370 AP_INIT_TAKE1("AuthFormSize", set_cookie_form_size, NULL, ACCESS_CONF,
371 "Maximum size of body parsed by the form parser"),
372 AP_INIT_TAKE1("AuthFormLoginRequiredLocation", set_login_required_location,
374 "If set, redirect the browser to this URL rather than "
375 "return 401 Not Authorized."),
376 AP_INIT_TAKE1("AuthFormLoginSuccessLocation", set_login_success_location,
378 "If set, redirect the browser to this URL when a login "
379 "processed by the login handler is successful."),
380 AP_INIT_TAKE1("AuthFormLogoutLocation", set_logout_location,
382 "The URL of the logout successful page. An attempt to access an "
383 "URL handled by the handler " FORM_LOGOUT_HANDLER " will result "
384 "in an redirect to this page after logout."),
385 AP_INIT_TAKE1("AuthFormSitePassphrase", set_site_passphrase,
387 "If set, use this passphrase to determine whether the user should "
388 "be authenticated. Bypasses the user authentication check on "
389 "every website hit, and is useful for high traffic sites."),
390 AP_INIT_FLAG("AuthFormAuthoritative", set_authoritative,
392 "Set to 'Off' to allow access control to be passed along to "
393 "lower modules if the UserID is not known to this module"),
394 AP_INIT_FLAG("AuthFormFakeBasicAuth", set_fake_basic_auth,
396 "Set to 'On' to pass through authentication to the rest of the "
397 "server as a basic authentication header."),
398 AP_INIT_FLAG("AuthFormDisableNoStore", set_disable_no_store,
400 "Set to 'on' to stop the sending of a Cache-Control no-store header with "
401 "the login screen. This allows the browser to cache the credentials, but "
402 "at the risk of it being possible for the login form to be resubmitted "
403 "and revealed to the backend server through XSS. Use at own risk."),
407 module AP_MODULE_DECLARE_DATA auth_form_module;
409 static void note_cookie_auth_failure(request_rec * r)
411 auth_form_config_rec *conf = ap_get_module_config(r->per_dir_config,
414 if (conf->location && ap_strchr_c(conf->location, ':')) {
415 apr_table_setn(r->err_headers_out, "Location", conf->location);
419 static int hook_note_cookie_auth_failure(request_rec * r,
420 const char *auth_type)
422 if (ap_cstr_casecmp(auth_type, "form"))
425 note_cookie_auth_failure(r);
430 * Set the auth username and password into the main request
433 static void set_notes_auth(request_rec * r,
434 const char *user, const char *pw,
435 const char *method, const char *mimetype)
437 apr_table_t *notes = NULL;
438 const char *authname;
440 /* find the main request */
444 /* find the first redirect */
450 /* have we isolated the user and pw before? */
451 authname = ap_auth_name(r);
453 apr_table_setn(notes, apr_pstrcat(r->pool, authname, "-user", NULL), user);
456 apr_table_setn(notes, apr_pstrcat(r->pool, authname, "-pw", NULL), pw);
459 apr_table_setn(notes, apr_pstrcat(r->pool, authname, "-method", NULL), method);
462 apr_table_setn(notes, apr_pstrcat(r->pool, authname, "-mimetype", NULL), mimetype);
468 * Get the auth username and password from the main request
469 * notes table, if present.
471 static void get_notes_auth(request_rec *r,
472 const char **user, const char **pw,
473 const char **method, const char **mimetype)
475 const char *authname;
478 /* find the main request */
482 /* find the first redirect */
487 /* have we isolated the user and pw before? */
488 authname = ap_auth_name(m);
490 *user = (char *) apr_table_get(m->notes, apr_pstrcat(m->pool, authname, "-user", NULL));
493 *pw = (char *) apr_table_get(m->notes, apr_pstrcat(m->pool, authname, "-pw", NULL));
496 *method = (char *) apr_table_get(m->notes, apr_pstrcat(m->pool, authname, "-method", NULL));
499 *mimetype = (char *) apr_table_get(m->notes, apr_pstrcat(m->pool, authname, "-mimetype", NULL));
502 /* set the user, even though the user is unauthenticated at this point */
504 r->user = (char *) *user;
507 ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
508 "from notes: user: %s, pw: %s, method: %s, mimetype: %s",
509 user ? *user : "<null>", pw ? *pw : "<null>",
510 method ? *method : "<null>", mimetype ? *mimetype : "<null>");
515 * Set the auth username and password into the session.
517 * If either the username, or the password are NULL, the username
518 * and/or password will be removed from the session.
520 static apr_status_t set_session_auth(request_rec * r,
521 const char *user, const char *pw, const char *site)
523 const char *hash = NULL;
524 const char *authname = ap_auth_name(r);
525 session_rec *z = NULL;
528 hash = ap_md5(r->pool,
529 (unsigned char *) apr_pstrcat(r->pool, user, ":", site, NULL));
532 ap_session_load_fn(r, &z);
533 ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_SESSION_USER, NULL), user);
534 ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_SESSION_PW, NULL), pw);
535 ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_AUTH_FORM_HASH, NULL), hash);
542 * Get the auth username and password from the main request
543 * notes table, if present.
545 static apr_status_t get_session_auth(request_rec * r,
546 const char **user, const char **pw, const char **hash)
548 const char *authname = ap_auth_name(r);
549 session_rec *z = NULL;
551 ap_session_load_fn(r, &z);
554 ap_session_get_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_SESSION_USER, NULL), user);
557 ap_session_get_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_SESSION_PW, NULL), pw);
560 ap_session_get_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_AUTH_FORM_HASH, NULL), hash);
563 /* set the user, even though the user is unauthenticated at this point */
565 r->user = (char *) *user;
568 ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
569 "from session: " MOD_SESSION_USER ": %s, " MOD_SESSION_PW
570 ": %s, " MOD_AUTH_FORM_HASH ": %s",
571 user ? *user : "<null>", pw ? *pw : "<null>",
572 hash ? *hash : "<null>");
579 * Isolate the username and password in a POSTed form with the
580 * username in the "username" field, and the password in the
583 * If either the username or the password is missing, this
584 * function will return HTTP_UNAUTHORIZED.
586 * The location field is considered optional, and will be returned
589 static int get_form_auth(request_rec * r,
590 const char *username,
591 const char *password,
592 const char *location,
594 const char *mimetype,
596 const char **sent_user,
597 const char **sent_pw,
598 const char **sent_loc,
599 const char **sent_method,
600 const char **sent_mimetype,
601 apr_bucket_brigade **sent_body,
602 auth_form_config_rec * conf)
604 /* sanity check - are we a POST request? */
606 /* find the username and password in the form */
607 apr_array_header_t *pairs = NULL;
613 /* have we isolated the user and pw before? */
614 get_notes_auth(r, sent_user, sent_pw, sent_method, sent_mimetype);
615 if (sent_user && *sent_user && sent_pw && *sent_pw) {
619 res = ap_parse_form_data(r, NULL, &pairs, -1, conf->form_size);
623 while (pairs && !apr_is_empty_array(pairs)) {
624 ap_form_pair_t *pair = (ap_form_pair_t *) apr_array_pop(pairs);
625 if (username && !strcmp(pair->name, username) && sent_user) {
626 apr_brigade_length(pair->value, 1, &len);
627 size = (apr_size_t) len;
628 buffer = apr_palloc(r->pool, size + 1);
629 apr_brigade_flatten(pair->value, buffer, &size);
633 else if (password && !strcmp(pair->name, password) && sent_pw) {
634 apr_brigade_length(pair->value, 1, &len);
635 size = (apr_size_t) len;
636 buffer = apr_palloc(r->pool, size + 1);
637 apr_brigade_flatten(pair->value, buffer, &size);
641 else if (location && !strcmp(pair->name, location) && sent_loc) {
642 apr_brigade_length(pair->value, 1, &len);
643 size = (apr_size_t) len;
644 buffer = apr_palloc(r->pool, size + 1);
645 apr_brigade_flatten(pair->value, buffer, &size);
649 else if (method && !strcmp(pair->name, method) && sent_method) {
650 apr_brigade_length(pair->value, 1, &len);
651 size = (apr_size_t) len;
652 buffer = apr_palloc(r->pool, size + 1);
653 apr_brigade_flatten(pair->value, buffer, &size);
655 *sent_method = buffer;
657 else if (mimetype && !strcmp(pair->name, mimetype) && sent_mimetype) {
658 apr_brigade_length(pair->value, 1, &len);
659 size = (apr_size_t) len;
660 buffer = apr_palloc(r->pool, size + 1);
661 apr_brigade_flatten(pair->value, buffer, &size);
663 *sent_mimetype = buffer;
665 else if (body && !strcmp(pair->name, body) && sent_body) {
666 *sent_body = pair->value;
670 ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
671 "from form: user: %s, pw: %s, method: %s, mimetype: %s, location: %s",
672 sent_user ? *sent_user : "<null>", sent_pw ? *sent_pw : "<null>",
673 sent_method ? *sent_method : "<null>",
674 sent_mimetype ? *sent_mimetype : "<null>",
675 sent_loc ? *sent_loc : "<null>");
677 /* set the user, even though the user is unauthenticated at this point */
678 if (sent_user && *sent_user) {
679 r->user = (char *) *sent_user;
682 /* a missing username or missing password means auth denied */
683 if (!sent_user || !*sent_user) {
685 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02982)
686 "form parsed, but username field '%s' was missing or empty, unauthorized",
689 return HTTP_UNAUTHORIZED;
691 if (!sent_pw || !*sent_pw) {
693 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02983)
694 "form parsed, but password field '%s' was missing or empty, unauthorized",
697 return HTTP_UNAUTHORIZED;
701 * save away the username, password, mimetype and method, so that they
702 * are available should the auth need to be run again.
704 set_notes_auth(r, *sent_user, *sent_pw, sent_method ? *sent_method : NULL,
705 sent_mimetype ? *sent_mimetype : NULL);
710 /* These functions return 0 if client is OK, and proper error status
711 * if not... either HTTP_UNAUTHORIZED, if we made a check, and it failed, or
712 * HTTP_INTERNAL_SERVER_ERROR, if things are so totally confused that we
713 * couldn't figure out how to tell if the client is authorized or not.
715 * If they return DECLINED, and all other modules also decline, that's
716 * treated by the server core as a configuration error, logged and
722 * Given a username and site passphrase hash from the session, determine
723 * whether the site passphrase is valid for this session.
725 * If the site passphrase is NULL, or if the sent_hash is NULL, this
726 * function returns DECLINED.
728 * If the site passphrase hash does not match the sent hash, this function
729 * returns AUTH_USER_NOT_FOUND.
731 * On success, returns OK.
733 static int check_site(request_rec * r, const char *site, const char *sent_user, const char *sent_hash)
736 if (site && sent_user && sent_hash) {
737 const char *hash = ap_md5(r->pool,
738 (unsigned char *) apr_pstrcat(r->pool, sent_user, ":", site, NULL));
740 if (!strcmp(sent_hash, hash)) {
744 return AUTH_USER_NOT_FOUND;
753 * Given a username and password (extracted externally from a cookie), run
754 * the authnz hooks to determine whether this request is authorized.
756 * Return an HTTP code.
758 static int check_authn(request_rec * r, const char *sent_user, const char *sent_pw)
760 authn_status auth_result;
761 authn_provider_list *current_provider;
762 auth_form_config_rec *conf = ap_get_module_config(r->per_dir_config,
765 current_provider = conf->providers;
767 const authn_provider *provider;
770 * For now, if a provider isn't set, we'll be nice and use the file
773 if (!current_provider) {
774 provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP,
775 AUTHN_DEFAULT_PROVIDER,
776 AUTHN_PROVIDER_VERSION);
778 if (!provider || !provider->check_password) {
779 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01806)
780 "no authn provider configured");
781 auth_result = AUTH_GENERAL_ERROR;
784 apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, AUTHN_DEFAULT_PROVIDER);
787 provider = current_provider->provider;
788 apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, current_provider->provider_name);
791 if (!sent_user || !sent_pw) {
792 auth_result = AUTH_USER_NOT_FOUND;
796 auth_result = provider->check_password(r, sent_user, sent_pw);
798 apr_table_unset(r->notes, AUTHN_PROVIDER_NAME_NOTE);
800 /* Something occurred. Stop checking. */
801 if (auth_result != AUTH_USER_NOT_FOUND) {
805 /* If we're not really configured for providers, stop now. */
806 if (!conf->providers) {
810 current_provider = current_provider->next;
811 } while (current_provider);
813 if (auth_result != AUTH_GRANTED) {
816 /* If we're not authoritative, then any error is ignored. */
817 if (!(conf->authoritative) && auth_result != AUTH_DENIED) {
821 switch (auth_result) {
823 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01807)
824 "user '%s': authentication failure for \"%s\": "
827 return_code = HTTP_UNAUTHORIZED;
829 case AUTH_USER_NOT_FOUND:
830 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01808)
831 "user '%s' not found: %s", sent_user, r->uri);
832 return_code = HTTP_UNAUTHORIZED;
834 case AUTH_GENERAL_ERROR:
837 * We'll assume that the module has already said what its error
840 return_code = HTTP_INTERNAL_SERVER_ERROR;
844 /* If we're returning 401, tell them to try again. */
845 if (return_code == HTTP_UNAUTHORIZED) {
846 note_cookie_auth_failure(r);
849 /* TODO: Flag the user somehow as to the reason for the failure */
858 /* fake the basic authentication header if configured to do so */
859 static void fake_basic_authentication(request_rec *r, auth_form_config_rec *conf,
860 const char *user, const char *pw)
862 if (conf->fakebasicauth) {
863 char *basic = apr_pstrcat(r->pool, user, ":", pw, NULL);
864 apr_size_t size = (apr_size_t) strlen(basic);
865 char *base64 = apr_palloc(r->pool,
866 apr_base64_encode_len(size + 1) * sizeof(char));
867 apr_base64_encode(base64, basic, size);
868 apr_table_setn(r->headers_in, "Authorization",
869 apr_pstrcat(r->pool, "Basic ", base64, NULL));
874 * Must we use form authentication? If so, extract the cookie and run
875 * the authnz hooks to determine if the login is valid.
877 * If the login is not valid, a 401 Not Authorized will be returned. It
878 * is up to the webmaster to ensure this screen displays a suitable login
879 * form to give the user the opportunity to log in.
881 static int authenticate_form_authn(request_rec * r)
883 auth_form_config_rec *conf = ap_get_module_config(r->per_dir_config,
885 const char *sent_user = NULL, *sent_pw = NULL, *sent_hash = NULL;
886 const char *sent_loc = NULL, *sent_method = "GET", *sent_mimetype = NULL;
887 const char *current_auth = NULL;
890 int rv = HTTP_UNAUTHORIZED;
892 /* Are we configured to be Form auth? */
893 current_auth = ap_auth_type(r);
894 if (!current_auth || ap_cstr_casecmp(current_auth, "form")) {
899 * XSS security warning: using cookies to store private data only works
900 * when the administrator has full control over the source website. When
901 * in forward-proxy mode, websites are public by definition, and so can
902 * never be secure. Abort the auth attempt in this case.
904 if (PROXYREQ_PROXY == r->proxyreq) {
905 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01809)
906 "form auth cannot be used for proxy "
907 "requests due to XSS risk, access denied: %s", r->uri);
908 return HTTP_INTERNAL_SERVER_ERROR;
911 /* We need an authentication realm. */
912 if (!ap_auth_name(r)) {
913 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01810)
914 "need AuthName: %s", r->uri);
915 return HTTP_INTERNAL_SERVER_ERROR;
918 r->ap_auth_type = (char *) current_auth;
920 /* try get the username and password from the notes, if present */
921 get_notes_auth(r, &sent_user, &sent_pw, &sent_method, &sent_mimetype);
922 if (!sent_user || !sent_pw || !*sent_user || !*sent_pw) {
924 /* otherwise try get the username and password from a session, if present */
925 res = get_session_auth(r, &sent_user, &sent_pw, &sent_hash);
932 /* first test whether the site passphrase matches */
933 if (APR_SUCCESS == res && sent_user && sent_hash && sent_pw) {
934 rv = check_site(r, conf->site, sent_user, sent_hash);
936 fake_basic_authentication(r, conf, sent_user, sent_pw);
941 /* otherwise test for a normal password match */
942 if (APR_SUCCESS == res && sent_user && sent_pw) {
943 rv = check_authn(r, sent_user, sent_pw);
945 fake_basic_authentication(r, conf, sent_user, sent_pw);
951 * If we reach this point, the request should fail with access denied,
952 * except for one potential scenario:
954 * If the request is a POST, and the posted form contains user defined fields
955 * for a username and a password, and the username and password are correct,
956 * then return the response obtained by a GET to this URL.
958 * If an additional user defined location field is present in the form,
959 * instead of a GET of the current URL, redirect the browser to the new
962 * As a further option, if the user defined fields for the type of request,
963 * the mime type of the body of the request, and the body of the request
964 * itself are present, replace this request with a new request of the given
965 * type and with the given body.
967 * Otherwise access is denied.
969 * Reading the body requires some song and dance, because the input filters
970 * are not yet configured. To work around this problem, we create a
971 * subrequest and use that to create a sane filter stack we can read the
974 * The main request is then capped with a kept_body input filter, which has
975 * the effect of guaranteeing the input stack can be safely read a second time.
978 if (HTTP_UNAUTHORIZED == rv && r->method_number == M_POST && ap_is_initial_req(r)) {
980 apr_bucket_brigade *sent_body = NULL;
982 /* create a subrequest of our current uri */
983 rr = ap_sub_req_lookup_uri(r->uri, r, r->input_filters);
984 rr->headers_in = r->headers_in;
986 /* run the insert_filters hook on the subrequest to ensure a body read can
989 ap_run_insert_filter(rr);
991 /* parse the form by reading the subrequest */
992 rv = get_form_auth(rr, conf->username, conf->password, conf->location,
993 conf->method, conf->mimetype, conf->body,
994 &sent_user, &sent_pw, &sent_loc, &sent_method,
995 &sent_mimetype, &sent_body, conf);
997 /* make sure any user detected within the subrequest is saved back to
1000 r->user = apr_pstrdup(r->pool, rr->user);
1002 /* we cannot clean up rr at this point, as memory allocated to rr is
1003 * referenced from the main request. It will be cleaned up when the
1004 * main request is cleaned up.
1007 /* insert the kept_body filter on the main request to guarantee the
1008 * input filter stack cannot be read a second time, optionally inject
1009 * a saved body if one was specified in the login form.
1011 if (sent_body && sent_mimetype) {
1012 apr_table_set(r->headers_in, "Content-Type", sent_mimetype);
1013 r->kept_body = sent_body;
1016 r->kept_body = apr_brigade_create(r->pool, r->connection->bucket_alloc);
1018 ap_request_insert_filter_fn(r);
1020 /* did the form ask to change the method? if so, switch in the redirect handler
1021 * to relaunch this request as the subrequest with the new method. If the
1022 * form didn't specify a method, the default value GET will force a redirect.
1024 if (sent_method && strcmp(r->method, sent_method)) {
1025 r->handler = FORM_REDIRECT_HANDLER;
1028 /* check the authn in the main request, based on the username found */
1030 rv = check_authn(r, sent_user, sent_pw);
1032 fake_basic_authentication(r, conf, sent_user, sent_pw);
1033 set_session_auth(r, sent_user, sent_pw, conf->site);
1035 apr_table_set(r->headers_out, "Location", sent_loc);
1036 return HTTP_MOVED_TEMPORARILY;
1038 if (conf->loginsuccess) {
1039 const char *loginsuccess = ap_expr_str_exec(r,
1040 conf->loginsuccess, &err);
1042 apr_table_set(r->headers_out, "Location", loginsuccess);
1043 return HTTP_MOVED_TEMPORARILY;
1046 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02339)
1047 "Can't evaluate login success expression: %s", err);
1048 return HTTP_INTERNAL_SERVER_ERROR;
1057 * did the admin prefer to be redirected to the login page on failure
1060 if (HTTP_UNAUTHORIZED == rv && conf->loginrequired) {
1061 const char *loginrequired = ap_expr_str_exec(r,
1062 conf->loginrequired, &err);
1064 apr_table_set(r->headers_out, "Location", loginrequired);
1065 return HTTP_MOVED_TEMPORARILY;
1068 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02340)
1069 "Can't evaluate login required expression: %s", err);
1070 return HTTP_INTERNAL_SERVER_ERROR;
1074 /* did the user ask to be redirected on login success? */
1076 apr_table_set(r->headers_out, "Location", sent_loc);
1077 rv = HTTP_MOVED_TEMPORARILY;
1082 * potential security issue: if we return a login to the browser, we must
1083 * send a no-store to make sure a well behaved browser will not try and
1084 * send the login details a second time if the back button is pressed.
1086 * if the user has full control over the backend, the
1087 * AuthCookieDisableNoStore can be used to turn this off.
1089 if (HTTP_UNAUTHORIZED == rv && !conf->disable_no_store) {
1090 apr_table_addn(r->headers_out, "Cache-Control", "no-store");
1091 apr_table_addn(r->err_headers_out, "Cache-Control", "no-store");
1099 * Handle a login attempt.
1101 * If the login session is either missing or form authnz is unsuccessful, a
1102 * 401 Not Authorized will be returned to the browser. The webmaster
1103 * is expected to insert a login form into the 401 Not Authorized
1106 * If the webmaster wishes, they can point the form submission at this
1107 * handler, which will redirect the user to the correct page on success.
1108 * On failure, the 401 Not Authorized error screen will be redisplayed,
1109 * where the login attempt can be repeated.
1112 static int authenticate_form_login_handler(request_rec * r)
1114 auth_form_config_rec *conf;
1117 const char *sent_user = NULL, *sent_pw = NULL, *sent_loc = NULL;
1120 if (strcmp(r->handler, FORM_LOGIN_HANDLER)) {
1124 if (r->method_number != M_POST) {
1125 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01811)
1126 "the " FORM_LOGIN_HANDLER " only supports the POST method for %s",
1128 return HTTP_METHOD_NOT_ALLOWED;
1131 conf = ap_get_module_config(r->per_dir_config, &auth_form_module);
1133 rv = get_form_auth(r, conf->username, conf->password, conf->location,
1135 &sent_user, &sent_pw, &sent_loc,
1136 NULL, NULL, NULL, conf);
1138 rv = check_authn(r, sent_user, sent_pw);
1140 set_session_auth(r, sent_user, sent_pw, conf->site);
1142 apr_table_set(r->headers_out, "Location", sent_loc);
1143 return HTTP_MOVED_TEMPORARILY;
1145 if (conf->loginsuccess) {
1146 const char *loginsuccess = ap_expr_str_exec(r,
1147 conf->loginsuccess, &err);
1149 apr_table_set(r->headers_out, "Location", loginsuccess);
1150 return HTTP_MOVED_TEMPORARILY;
1153 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02341)
1154 "Can't evaluate login success expression: %s", err);
1155 return HTTP_INTERNAL_SERVER_ERROR;
1162 /* did we prefer to be redirected to the login page on failure instead? */
1163 if (HTTP_UNAUTHORIZED == rv && conf->loginrequired) {
1164 const char *loginrequired = ap_expr_str_exec(r,
1165 conf->loginrequired, &err);
1167 apr_table_set(r->headers_out, "Location", loginrequired);
1168 return HTTP_MOVED_TEMPORARILY;
1171 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02342)
1172 "Can't evaluate login required expression: %s", err);
1173 return HTTP_INTERNAL_SERVER_ERROR;
1182 * Handle a logout attempt.
1184 * If an attempt is made to access this URL, any username and password
1185 * embedded in the session is deleted.
1187 * This has the effect of logging the person out.
1189 * If a logout URI has been specified, this function will create an
1190 * internal redirect to this page.
1192 static int authenticate_form_logout_handler(request_rec * r)
1194 auth_form_config_rec *conf;
1197 if (strcmp(r->handler, FORM_LOGOUT_HANDLER)) {
1201 conf = ap_get_module_config(r->per_dir_config, &auth_form_module);
1203 /* remove the username and password, effectively logging the user out */
1204 set_session_auth(r, NULL, NULL, NULL);
1207 * make sure the logout page is never cached - otherwise the logout won't
1210 apr_table_addn(r->headers_out, "Cache-Control", "no-store");
1211 apr_table_addn(r->err_headers_out, "Cache-Control", "no-store");
1213 /* if set, internal redirect to the logout page */
1215 const char *logout = ap_expr_str_exec(r,
1216 conf->logout, &err);
1218 apr_table_addn(r->headers_out, "Location", logout);
1219 return HTTP_TEMPORARY_REDIRECT;
1222 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02343)
1223 "Can't evaluate logout expression: %s", err);
1224 return HTTP_INTERNAL_SERVER_ERROR;
1233 * Handle a redirect attempt.
1235 * If during a form login, the method, mimetype and request body are
1236 * specified, this handler will ensure that this request is included
1237 * as an internal redirect.
1240 static int authenticate_form_redirect_handler(request_rec * r)
1243 request_rec *rr = NULL;
1244 const char *sent_method = NULL, *sent_mimetype = NULL;
1246 if (strcmp(r->handler, FORM_REDIRECT_HANDLER)) {
1250 /* get the method and mimetype from the notes */
1251 get_notes_auth(r, NULL, NULL, &sent_method, &sent_mimetype);
1253 if (r->kept_body && sent_method && sent_mimetype) {
1255 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01812)
1256 "internal redirect to method '%s' and body mimetype '%s' for the "
1257 "uri: %s", sent_method, sent_mimetype, r->uri);
1259 rr = ap_sub_req_method_uri(sent_method, r->uri, r, r->output_filters);
1260 r->status = ap_run_sub_req(rr);
1264 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01813)
1265 "internal redirect requested but one or all of method, mimetype or "
1266 "body are NULL: %s", r->uri);
1267 return HTTP_INTERNAL_SERVER_ERROR;
1270 /* return the underlying error, or OK on success */
1271 return r->status == HTTP_OK || r->status == OK ? OK : r->status;
1275 static int authenticate_form_post_config(apr_pool_t *pconf, apr_pool_t *plog,
1276 apr_pool_t *ptemp, server_rec *s)
1279 if (!ap_session_load_fn || !ap_session_get_fn || !ap_session_set_fn) {
1280 ap_session_load_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_load);
1281 ap_session_get_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_get);
1282 ap_session_set_fn = APR_RETRIEVE_OPTIONAL_FN(ap_session_set);
1283 if (!ap_session_load_fn || !ap_session_get_fn || !ap_session_set_fn) {
1284 ap_log_error(APLOG_MARK, APLOG_CRIT, 0, NULL, APLOGNO(02617)
1285 "You must load mod_session to enable the mod_auth_form "
1291 if (!ap_request_insert_filter_fn || !ap_request_remove_filter_fn) {
1292 ap_request_insert_filter_fn = APR_RETRIEVE_OPTIONAL_FN(ap_request_insert_filter);
1293 ap_request_remove_filter_fn = APR_RETRIEVE_OPTIONAL_FN(ap_request_remove_filter);
1294 if (!ap_request_insert_filter_fn || !ap_request_remove_filter_fn) {
1295 ap_log_error(APLOG_MARK, APLOG_CRIT, 0, NULL, APLOGNO(02618)
1296 "You must load mod_request to enable the mod_auth_form "
1305 static void register_hooks(apr_pool_t * p)
1307 ap_hook_post_config(authenticate_form_post_config,NULL,NULL,APR_HOOK_MIDDLE);
1309 #if AP_MODULE_MAGIC_AT_LEAST(20080403,1)
1310 ap_hook_check_authn(authenticate_form_authn, NULL, NULL, APR_HOOK_MIDDLE,
1311 AP_AUTH_INTERNAL_PER_CONF);
1313 ap_hook_check_user_id(authenticate_form_authn, NULL, NULL, APR_HOOK_MIDDLE);
1315 ap_hook_handler(authenticate_form_login_handler, NULL, NULL, APR_HOOK_MIDDLE);
1316 ap_hook_handler(authenticate_form_logout_handler, NULL, NULL, APR_HOOK_MIDDLE);
1317 ap_hook_handler(authenticate_form_redirect_handler, NULL, NULL, APR_HOOK_MIDDLE);
1319 ap_hook_note_auth_failure(hook_note_cookie_auth_failure, NULL, NULL,
1323 AP_DECLARE_MODULE(auth_form) =
1325 STANDARD20_MODULE_STUFF,
1326 create_auth_form_dir_config, /* dir config creater */
1327 merge_auth_form_dir_config, /* dir merger --- default is to override */
1328 NULL, /* server config */
1329 NULL, /* merge server config */
1330 auth_form_cmds, /* command apr_table_t */
1331 register_hooks /* register hooks */