|
|
1e590c |
Index: server/request.c
|
|
|
1e590c |
===================================================================
|
|
|
1e590c |
--- a/server/request.c (revision 1684524)
|
|
|
1e590c |
+++ b/server/request.c (revision 1684525)
|
|
|
1e590c |
@@ -71,6 +71,7 @@
|
|
|
1e590c |
APR_HOOK_LINK(create_request)
|
|
|
1e590c |
APR_HOOK_LINK(post_perdir_config)
|
|
|
1e590c |
APR_HOOK_LINK(dirwalk_stat)
|
|
|
1e590c |
+ APR_HOOK_LINK(force_authn)
|
|
|
1e590c |
)
|
|
|
1e590c |
|
|
|
1e590c |
AP_IMPLEMENT_HOOK_RUN_FIRST(int,translate_name,
|
|
|
1e590c |
@@ -97,6 +98,8 @@
|
|
|
1e590c |
AP_IMPLEMENT_HOOK_RUN_FIRST(apr_status_t,dirwalk_stat,
|
|
|
1e590c |
(apr_finfo_t *finfo, request_rec *r, apr_int32_t wanted),
|
|
|
1e590c |
(finfo, r, wanted), AP_DECLINED)
|
|
|
1e590c |
+AP_IMPLEMENT_HOOK_RUN_FIRST(int,force_authn,
|
|
|
1e590c |
+ (request_rec *r), (r), DECLINED)
|
|
|
1e590c |
|
|
|
1e590c |
static int auth_internal_per_conf = 0;
|
|
|
1e590c |
static int auth_internal_per_conf_hooks = 0;
|
|
|
1e590c |
@@ -118,6 +121,39 @@
|
|
|
1e590c |
}
|
|
|
1e590c |
}
|
|
|
1e590c |
|
|
|
1e590c |
+AP_DECLARE(int) ap_some_authn_required(request_rec *r)
|
|
|
1e590c |
+{
|
|
|
1e590c |
+ int access_status;
|
|
|
1e590c |
+
|
|
|
1e590c |
+ switch (ap_satisfies(r)) {
|
|
|
1e590c |
+ case SATISFY_ALL:
|
|
|
1e590c |
+ case SATISFY_NOSPEC:
|
|
|
1e590c |
+ if ((access_status = ap_run_access_checker(r)) != OK) {
|
|
|
1e590c |
+ break;
|
|
|
1e590c |
+ }
|
|
|
1e590c |
+
|
|
|
1e590c |
+ access_status = ap_run_access_checker_ex(r);
|
|
|
1e590c |
+ if (access_status == DECLINED) {
|
|
|
1e590c |
+ return TRUE;
|
|
|
1e590c |
+ }
|
|
|
1e590c |
+
|
|
|
1e590c |
+ break;
|
|
|
1e590c |
+ case SATISFY_ANY:
|
|
|
1e590c |
+ if ((access_status = ap_run_access_checker(r)) == OK) {
|
|
|
1e590c |
+ break;
|
|
|
1e590c |
+ }
|
|
|
1e590c |
+
|
|
|
1e590c |
+ access_status = ap_run_access_checker_ex(r);
|
|
|
1e590c |
+ if (access_status == DECLINED) {
|
|
|
1e590c |
+ return TRUE;
|
|
|
1e590c |
+ }
|
|
|
1e590c |
+
|
|
|
1e590c |
+ break;
|
|
|
1e590c |
+ }
|
|
|
1e590c |
+
|
|
|
1e590c |
+ return FALSE;
|
|
|
1e590c |
+}
|
|
|
1e590c |
+
|
|
|
1e590c |
/* This is the master logic for processing requests. Do NOT duplicate
|
|
|
1e590c |
* this logic elsewhere, or the security model will be broken by future
|
|
|
1e590c |
* API changes. Each phase must be individually optimized to pick up
|
|
|
1e590c |
@@ -232,15 +268,8 @@
|
|
|
1e590c |
}
|
|
|
1e590c |
|
|
|
1e590c |
access_status = ap_run_access_checker_ex(r);
|
|
|
1e590c |
- if (access_status == OK) {
|
|
|
1e590c |
- ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
|
|
|
1e590c |
- "request authorized without authentication by "
|
|
|
1e590c |
- "access_checker_ex hook: %s", r->uri);
|
|
|
1e590c |
- }
|
|
|
1e590c |
- else if (access_status != DECLINED) {
|
|
|
1e590c |
- return decl_die(access_status, "check access", r);
|
|
|
1e590c |
- }
|
|
|
1e590c |
- else {
|
|
|
1e590c |
+ if (access_status == DECLINED
|
|
|
1e590c |
+ || (access_status == OK && ap_run_force_authn(r) == OK)) {
|
|
|
1e590c |
if ((access_status = ap_run_check_user_id(r)) != OK) {
|
|
|
1e590c |
return decl_die(access_status, "check user", r);
|
|
|
1e590c |
}
|
|
|
1e590c |
@@ -258,6 +287,14 @@
|
|
|
1e590c |
return decl_die(access_status, "check authorization", r);
|
|
|
1e590c |
}
|
|
|
1e590c |
}
|
|
|
1e590c |
+ else if (access_status == OK) {
|
|
|
1e590c |
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
|
|
|
1e590c |
+ "request authorized without authentication by "
|
|
|
1e590c |
+ "access_checker_ex hook: %s", r->uri);
|
|
|
1e590c |
+ }
|
|
|
1e590c |
+ else {
|
|
|
1e590c |
+ return decl_die(access_status, "check access", r);
|
|
|
1e590c |
+ }
|
|
|
1e590c |
break;
|
|
|
1e590c |
case SATISFY_ANY:
|
|
|
1e590c |
if ((access_status = ap_run_access_checker(r)) == OK) {
|
|
|
1e590c |
@@ -269,15 +306,8 @@
|
|
|
1e590c |
}
|
|
|
1e590c |
|
|
|
1e590c |
access_status = ap_run_access_checker_ex(r);
|
|
|
1e590c |
- if (access_status == OK) {
|
|
|
1e590c |
- ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
|
|
|
1e590c |
- "request authorized without authentication by "
|
|
|
1e590c |
- "access_checker_ex hook: %s", r->uri);
|
|
|
1e590c |
- }
|
|
|
1e590c |
- else if (access_status != DECLINED) {
|
|
|
1e590c |
- return decl_die(access_status, "check access", r);
|
|
|
1e590c |
- }
|
|
|
1e590c |
- else {
|
|
|
1e590c |
+ if (access_status == DECLINED
|
|
|
1e590c |
+ || (access_status == OK && ap_run_force_authn(r) == OK)) {
|
|
|
1e590c |
if ((access_status = ap_run_check_user_id(r)) != OK) {
|
|
|
1e590c |
return decl_die(access_status, "check user", r);
|
|
|
1e590c |
}
|
|
|
1e590c |
@@ -295,6 +325,14 @@
|
|
|
1e590c |
return decl_die(access_status, "check authorization", r);
|
|
|
1e590c |
}
|
|
|
1e590c |
}
|
|
|
1e590c |
+ else if (access_status == OK) {
|
|
|
1e590c |
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
|
|
|
1e590c |
+ "request authorized without authentication by "
|
|
|
1e590c |
+ "access_checker_ex hook: %s", r->uri);
|
|
|
1e590c |
+ }
|
|
|
1e590c |
+ else {
|
|
|
1e590c |
+ return decl_die(access_status, "check access", r);
|
|
|
1e590c |
+ }
|
|
|
1e590c |
break;
|
|
|
1e590c |
}
|
|
|
1e590c |
}
|
|
|
1e590c |
Index: include/http_request.h
|
|
|
1e590c |
===================================================================
|
|
|
1e590c |
--- a/include/http_request.h (revision 1684524)
|
|
|
1e590c |
+++ b/include/http_request.h (revision 1684525)
|
|
|
1e590c |
@@ -185,6 +185,8 @@
|
|
|
1e590c |
* is required for the current request
|
|
|
1e590c |
* @param r The current request
|
|
|
1e590c |
* @return 1 if authentication is required, 0 otherwise
|
|
|
1e590c |
+ * @bug Behavior changed in 2.4.x refactoring, API no longer usable
|
|
|
1e590c |
+ * @deprecated @see ap_some_authn_required()
|
|
|
1e590c |
*/
|
|
|
1e590c |
AP_DECLARE(int) ap_some_auth_required(request_rec *r);
|
|
|
1e590c |
|
|
|
1e590c |
@@ -539,6 +541,16 @@
|
|
|
1e590c |
AP_DECLARE_HOOK(int,post_perdir_config,(request_rec *r))
|
|
|
1e590c |
|
|
|
1e590c |
/**
|
|
|
1e590c |
+ * This hook allows a module to force authn to be required when
|
|
|
1e590c |
+ * processing a request.
|
|
|
1e590c |
+ * This hook should be registered with ap_hook_force_authn().
|
|
|
1e590c |
+ * @param r The current request
|
|
|
1e590c |
+ * @return OK (force authn), DECLINED (let later modules decide)
|
|
|
1e590c |
+ * @ingroup hooks
|
|
|
1e590c |
+ */
|
|
|
1e590c |
+AP_DECLARE_HOOK(int,force_authn,(request_rec *r))
|
|
|
1e590c |
+
|
|
|
1e590c |
+/**
|
|
|
1e590c |
* This hook allows modules to handle/emulate the apr_stat() calls
|
|
|
1e590c |
* needed for directory walk.
|
|
|
1e590c |
* @param r The current request
|
|
|
1e590c |
@@ -584,6 +596,17 @@
|
|
|
1e590c |
AP_DECLARE(apr_bucket *) ap_bucket_eor_create(apr_bucket_alloc_t *list,
|
|
|
1e590c |
request_rec *r);
|
|
|
1e590c |
|
|
|
1e590c |
+/**
|
|
|
1e590c |
+ * Can be used within any handler to determine if any authentication
|
|
|
1e590c |
+ * is required for the current request. Note that if used with an
|
|
|
1e590c |
+ * access_checker hook, an access_checker_ex hook or an authz provider; the
|
|
|
1e590c |
+ * caller should take steps to avoid a loop since this function is
|
|
|
1e590c |
+ * implemented by calling these hooks.
|
|
|
1e590c |
+ * @param r The current request
|
|
|
1e590c |
+ * @return TRUE if authentication is required, FALSE otherwise
|
|
|
1e590c |
+ */
|
|
|
1e590c |
+AP_DECLARE(int) ap_some_authn_required(request_rec *r);
|
|
|
1e590c |
+
|
|
|
1e590c |
#ifdef __cplusplus
|
|
|
1e590c |
}
|
|
|
1e590c |
#endif
|