From: jan@unixpapa.com Date: Thu, 21 May 2009 19:49:38 +0000 (+0000) Subject: AuthzUnixgroupError directive added. X-Git-Tag: mod_authz_unixgroup-1.0.2~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a82e92075eea5ad3a3b7e526698ea5b339c4b265;p=apache-authnz-external AuthzUnixgroupError directive added. --- diff --git a/mod_authz_unixgroup/CHANGES b/mod_authz_unixgroup/CHANGES index 7bff981..0ba8c31 100644 --- a/mod_authz_unixgroup/CHANGES +++ b/mod_authz_unixgroup/CHANGES @@ -1,6 +1,9 @@ -v1.0.2 (Jan Wolter - not yet released) +v1.0.2 (Jan Wolter - May 21, 2009) ------------------------------------ - * Adding copyright and Apache Version 2.0 license + * Adding copyright and Apache Version 2.0 license in LICENSE and NOTICE + files. + * New directive: AuthzUnixgroupError, can be used to specify the HTTP + error number to be returned on failure. v1.0.1 (Jan Wolter - Aug 6, 2008) ------------------------------------ diff --git a/mod_authz_unixgroup/INSTALL b/mod_authz_unixgroup/INSTALL index 97fbd09..bf5f6f5 100644 --- a/mod_authz_unixgroup/INSTALL +++ b/mod_authz_unixgroup/INSTALL @@ -136,6 +136,18 @@ we do: Then a user will be able to access a file if and only if that file is owned by a group of which the user is a member. +Normally, when an access check fails, mod_authz_unixgroup will return a +HTTP 401 error. This will typically cause the browser to pop up a message +saying "Authentication Failed" and then the browser will ask for a new login +name. In some cases this is not the desired behavior. If you are using the +"Require file-group" directive, you may not want to log the user off every time +he hits a file he doesn't have access to. Maybe you'd rather just show a +"Permission denied message" and not log him off. You could do that by +directing mod_authz_unixgroup to return a 403 error instead of a 401 error. +You can do this with the following directive: + + AuthnzUnixgroupError 403 + By default, mod_authz_unixgroup is authoritative. If you want to use more than one group checker, like mod_authz_unixgroup together with mod_authz_groupfile or mod_authz_dbm, then you'll want to make them non- diff --git a/mod_authz_unixgroup/mod_authz_unixgroup.c b/mod_authz_unixgroup/mod_authz_unixgroup.c index 452d2d7..392a0c2 100644 --- a/mod_authz_unixgroup/mod_authz_unixgroup.c +++ b/mod_authz_unixgroup/mod_authz_unixgroup.c @@ -40,6 +40,7 @@ typedef struct { int enabled; int authoritative; + char *errcode; } authz_unixgroup_dir_config_rec; @@ -57,6 +58,7 @@ static void *create_authz_unixgroup_dir_config(apr_pool_t *p, char *d) dir->enabled= 0; dir->authoritative= 1; /* strong by default */ + dir->errcode= NULL; /* default to 401 */ return dir; } @@ -81,6 +83,12 @@ static const command_rec authz_unixgroup_cmds[] = "Set to 'off' to allow access control to be passed along to lower " "modules if this module can't confirm access rights" ), + AP_INIT_TAKE1("AuthzUnixgroupError", + ap_set_string_slot, + (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, errcode), + OR_AUTHCFG, + "HTTP error code to return when user is not in group" ), + { NULL } }; @@ -169,11 +177,11 @@ static int authz_unixgroup_check_user_access(request_rec *r) ap_get_module_config(r->per_dir_config, &authz_unixgroup_module); int m= r->method_number; - int required_group= 0; - register int x; + int i,ret; const char *t, *w; const apr_array_header_t *reqs_arr= ap_requires(r); const char *filegroup= NULL; + int required_group= 0; require_line *reqs; /* If not enabled, pass */ @@ -184,11 +192,11 @@ static int authz_unixgroup_check_user_access(request_rec *r) reqs= (require_line *)reqs_arr->elts; /* Loop through the "Require" argument list */ - for(x= 0; x < reqs_arr->nelts; x++) + for(i= 0; i < reqs_arr->nelts; i++) { - if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) continue; + if (!(reqs[i].method_mask & (AP_METHOD_BIT << m))) continue; - t= reqs[x].requirement; + t= reqs[i].requirement; w= ap_getword_white(r->pool, &t); /* The 'file-group' directive causes mod_authz_owner to store the @@ -228,11 +236,13 @@ static int authz_unixgroup_check_user_access(request_rec *r) /* Authentication failed and we are authoritive, declare unauthorized */ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "access to %s failed, reason: user %s not allowed access", - r->uri, r->user); + "access to %s failed, reason: user %s not allowed access (%s)", + r->uri, r->user, dir->errcode); ap_note_basic_auth_failure(r); - return HTTP_UNAUTHORIZED; + + return (dir->errcode && (ret= atoi(dir->errcode)) > 0) ? ret : + HTTP_UNAUTHORIZED; } static void authz_unixgroup_register_hooks(apr_pool_t *p)