Changes with Apache 2.3.7
+ *) core: Try to proceed with authorization even if authentication failed.
+ This allows e.g. to authorize by user _or_ ip address. [Stefan Fritsch]
+
*) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]
*) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
* Modules without documentation need to be moved to experimental or be
removed.
- * There is no working equivalent to 'Satisfy any' to authorize by
- user _or_ IP address:
- http://mail-archives.apache.org/mod_mbox/httpd-dev/200912.mbox/<4B28E73C.4050209%40kippdata.de>
-
* Not all MPMs are updated to set conn_rec::current_thread correctly.
(Prefork, Worker, Event, Simple are updated).
jim sez: Then we just ship with those... mark any others as
experimental
+ * Fix or remove ap_note_auth_failure():
+ There are two incompatible sets of *note_*_auth_failure functions, one in
+ server/protocol.c, the other in mod_auth_*.c. The set in server/protocol.c
+ should be axed and ap_note_auth_failure() must either call the functions in
+ mod_auth_*.c or must be removed, too.
+
FOR NEXT ALPHA:
return OK;
}
else if (auth_result == AUTHZ_DENIED || auth_result == AUTHZ_NEUTRAL) {
- if (r->ap_auth_type == NULL) {
+ if (ap_auth_type(r) == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
"client denied by server configuration: %s%s",
r->filename ? "" : "uri ",
r->user, r->uri);
/* If we're returning 403, tell them to try again. */
- ap_note_auth_failure(r);
+ /* XXX: ap_note_auth_failure is currently broken */
+ /*ap_note_auth_failure(r);*/
return HTTP_UNAUTHORIZED;
}
r->ap_auth_type = r->main->ap_auth_type;
}
else {
+ char *failed_user = NULL;
switch (ap_satisfies(r)) {
case SATISFY_ALL:
case SATISFY_NOSPEC:
}
if ((access_status = ap_run_check_user_id(r)) != OK) {
- return decl_die(access_status, "check user", r);
+ if (access_status == HTTP_UNAUTHORIZED) {
+ failed_user = r->user;
+ r->user = NULL;
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+ "authn failed with HTTP_UNAUTHORIZED, "
+ "trying authz without user");
+ }
+ else {
+ return decl_die(access_status, "check user", r);
+ }
}
if ((access_status = ap_run_auth_checker(r)) != OK) {
+ if (failed_user)
+ r->user = failed_user;
return decl_die(access_status, "check authorization", r);
}
break;
if ((access_status = ap_run_access_checker(r)) != OK) {
if ((access_status = ap_run_check_user_id(r)) != OK) {
- return decl_die(access_status, "check user", r);
+ if (access_status == HTTP_UNAUTHORIZED) {
+ failed_user = r->user;
+ r->user = NULL;
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+ "authn failed with HTTP_UNAUTHORIZED, "
+ "trying authz without user");
+ }
+ else {
+ return decl_die(access_status, "check user", r);
+ }
}
if ((access_status = ap_run_auth_checker(r)) != OK) {
+ if (failed_user)
+ r->user = failed_user;
return decl_die(access_status, "check authorization", r);
}
}
projects / apache / commitdiff