From: Stefan Fritsch Date: Sun, 4 Jul 2010 21:16:53 +0000 (+0000) Subject: Introduce note_auth_failure hook to allow modules to add support X-Git-Tag: 2.3.7~101 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=eedf13033285d80373548093b26b87330db872e3;p=apache Introduce note_auth_failure hook to allow modules to add support for additional auth types. This makes ap_note_auth_failure() work with mod_auth_digest again. PR: 48807 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@960399 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 437b5b7200..ddc8cca156 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.3.7 + *) core: Introduce note_auth_failure hook to allow modules to add support + for additional auth types. This makes ap_note_auth_failure() work with + mod_auth_digest again. PR 48807. [Stefan Fritsch] + *) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew] *) mod_authn_cache: new module [Nick Kew] diff --git a/include/ap_mmn.h b/include/ap_mmn.h index 08692505ac..41eefd6100 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -233,6 +233,7 @@ * 20100625.0 (2.3.7-dev) Add 'userctx' to socache iterator callback prototype * 20100630.0 (2.3.7-dev) make module_levels vector of char instead of int * 20100701.0 (2.3.7-dev) re-order struct members to improve alignment + * 20100701.1 (2.3.7-dev) add note_auth_failure hook */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ @@ -240,7 +241,7 @@ #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 20100701 #endif -#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 1 /* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a diff --git a/include/http_protocol.h b/include/http_protocol.h index bf405af4e5..5b71dfd0e6 100644 --- a/include/http_protocol.h +++ b/include/http_protocol.h @@ -437,28 +437,30 @@ AP_DECLARE(int) ap_discard_request_body(request_rec *r); /** * Setup the output headers so that the client knows how to authenticate - * itself the next time, if an authentication request failed. This function - * works for both basic and digest authentication + * itself the next time, if an authentication request failed. * @param r The current request */ AP_DECLARE(void) ap_note_auth_failure(request_rec *r); /** - * Setup the output headers so that the client knows how to authenticate - * itself the next time, if an authentication request failed. This function - * works only for basic authentication - * @param r The current request + * @deprecated @see ap_note_auth_failure */ AP_DECLARE(void) ap_note_basic_auth_failure(request_rec *r); /** - * Setup the output headers so that the client knows how to authenticate - * itself the next time, if an authentication request failed. This function - * works only for digest authentication - * @param r The current request + * @deprecated @see ap_note_auth_failure */ AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r); +/** + * This hook allows modules to add support for a specific auth type to + * ap_note_auth_failure + * @param r the current request + * @param auth_type the configured auth_type + * @return OK, DECLINED + */ +AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type)) + /** * Get the password from the request headers * @param r The current request diff --git a/modules/aaa/mod_auth_basic.c b/modules/aaa/mod_auth_basic.c index 9543e7e931..2e20aad197 100644 --- a/modules/aaa/mod_auth_basic.c +++ b/modules/aaa/mod_auth_basic.c @@ -127,6 +127,15 @@ static void note_basic_auth_failure(request_rec *r) "\"", NULL)); } +static int hook_note_basic_auth_failure(request_rec *r, const char *auth_type) +{ + if (strcasecmp(auth_type, "Basic")) + return DECLINED; + + note_basic_auth_failure(r); + return OK; +} + static int get_basic_auth(request_rec *r, const char **user, const char **pw) { @@ -290,6 +299,8 @@ static void register_hooks(apr_pool_t *p) { ap_hook_check_authn(authenticate_basic_user, NULL, NULL, APR_HOOK_MIDDLE, AP_AUTH_INTERNAL_PER_CONF); + ap_hook_note_auth_failure(hook_note_basic_auth_failure, NULL, NULL, + APR_HOOK_MIDDLE); } AP_DECLARE_MODULE(auth_basic) = diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c index e69f0795a5..8506f1b7ca 100644 --- a/modules/aaa/mod_auth_digest.c +++ b/modules/aaa/mod_auth_digest.c @@ -1369,6 +1369,39 @@ static void note_digest_auth_failure(request_rec *r, } +static int hook_note_digest_auth_failure(request_rec *r, const char *auth_type) +{ + request_rec *mainreq; + digest_header_rec *resp; + digest_config_rec *conf; + + if (strcasecmp(auth_type, "Digest")) + return DECLINED; + + /* get the client response and mark */ + + mainreq = r; + while (mainreq->main != NULL) { + mainreq = mainreq->main; + } + while (mainreq->prev != NULL) { + mainreq = mainreq->prev; + } + resp = (digest_header_rec *) ap_get_module_config(mainreq->request_config, + &auth_digest_module); + resp->needed_auth = 1; + + + /* get our conf */ + + conf = (digest_config_rec *) ap_get_module_config(r->per_dir_config, + &auth_digest_module); + + note_digest_auth_failure(r, conf, resp, 0); + + return OK; +} + /* * Authorization header verification code @@ -2054,6 +2087,9 @@ static void register_hooks(apr_pool_t *p) AP_AUTH_INTERNAL_PER_CONF); ap_hook_fixups(add_auth_info, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_note_auth_failure(hook_note_digest_auth_failure, NULL, NULL, + APR_HOOK_MIDDLE); + } AP_DECLARE_MODULE(auth_digest) = diff --git a/modules/aaa/mod_auth_form.c b/modules/aaa/mod_auth_form.c index d75399b954..073c7d4852 100644 --- a/modules/aaa/mod_auth_form.c +++ b/modules/aaa/mod_auth_form.c @@ -424,6 +424,16 @@ static void note_cookie_auth_failure(request_rec * r) } } +static int hook_note_cookie_auth_failure(request_rec * r, + const char *auth_type) +{ + if (strcasecmp(auth_type, "form")) + return DECLINED; + + note_cookie_auth_failure(r); + return OK; +} + /** * Set the auth username and password into the main request * notes table. @@ -1183,6 +1193,9 @@ static void register_hooks(apr_pool_t * p) ap_hook_handler(authenticate_form_login_handler, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_handler(authenticate_form_logout_handler, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_handler(authenticate_form_redirect_handler, NULL, NULL, APR_HOOK_MIDDLE); + + ap_hook_note_auth_failure(hook_note_cookie_auth_failure, NULL, NULL, + APR_HOOK_MIDDLE); } AP_DECLARE_MODULE(auth_form) = diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c index 50a715eba1..f682a3eebf 100644 --- a/modules/aaa/mod_authz_core.c +++ b/modules/aaa/mod_authz_core.c @@ -768,8 +768,7 @@ static int authorize_user(request_rec *r) r->user, r->uri); /* If we're returning 403, tell them to try again. */ - /* XXX: ap_note_auth_failure is currently broken */ - /*ap_note_auth_failure(r);*/ + ap_note_auth_failure(r); return HTTP_UNAUTHORIZED; } diff --git a/server/protocol.c b/server/protocol.c index 4a5cce27e8..182c5b1cec 100644 --- a/server/protocol.c +++ b/server/protocol.c @@ -64,6 +64,7 @@ APR_HOOK_STRUCT( APR_HOOK_LINK(log_transaction) APR_HOOK_LINK(http_scheme) APR_HOOK_LINK(default_port) + APR_HOOK_LINK(note_auth_failure) ) AP_DECLARE_DATA ap_filter_rec_t *ap_old_write_func = NULL; @@ -1187,10 +1188,7 @@ AP_DECLARE(void) ap_note_auth_failure(request_rec *r) { const char *type = ap_auth_type(r); if (type) { - if (!strcasecmp(type, "Basic")) - ap_note_basic_auth_failure(r); - else if (!strcasecmp(type, "Digest")) - ap_note_digest_auth_failure(r); + ap_run_note_auth_failure(r, type); } else { ap_log_rerror(APLOG_MARK, APLOG_ERR, @@ -1200,29 +1198,12 @@ AP_DECLARE(void) ap_note_auth_failure(request_rec *r) AP_DECLARE(void) ap_note_basic_auth_failure(request_rec *r) { - const char *type = ap_auth_type(r); - - /* if there is no AuthType configure or it is something other than - * Basic, let ap_note_auth_failure() deal with it - */ - if (!type || strcasecmp(type, "Basic")) - ap_note_auth_failure(r); - else - apr_table_setn(r->err_headers_out, - (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate" - : "WWW-Authenticate", - apr_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r), - "\"", NULL)); + ap_note_auth_failure(r); } AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r) { - apr_table_setn(r->err_headers_out, - (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authenticate" - : "WWW-Authenticate", - apr_psprintf(r->pool, "Digest realm=\"%s\", nonce=\"" - "%" APR_UINT64_T_HEX_FMT "\"", - ap_auth_name(r), (apr_uint64_t)r->request_time)); + ap_note_auth_failure(r); } AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw) @@ -1243,7 +1224,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw) } if (!auth_line) { - ap_note_basic_auth_failure(r); + ap_note_auth_failure(r); return HTTP_UNAUTHORIZED; } @@ -1251,7 +1232,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw) /* Client tried to authenticate using wrong auth scheme */ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "client used wrong authentication scheme: %s", r->uri); - ap_note_basic_auth_failure(r); + ap_note_auth_failure(r); return HTTP_UNAUTHORIZED; } @@ -1757,3 +1738,6 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(const char *,http_scheme, (const request_rec *r), (r), NULL) AP_IMPLEMENT_HOOK_RUN_FIRST(unsigned short,default_port, (const request_rec *r), (r), 0) +AP_IMPLEMENT_HOOK_RUN_FIRST(int, note_auth_failure, + (request_rec *r, const char *auth_type), + (r, auth_type), DECLINED)