/** @} // get_remote_host */
+/** all of the requirements must be met */
+#define SATISFY_ALL 0
+/** any of the requirements must be met */
+#define SATISFY_ANY 1
+/** There are no applicable satisfy lines */
+#define SATISFY_NOSPEC 2
+
/** Make sure we don't write less than 8000 bytes at any one time.
*/
#define AP_MIN_BYTES_TO_WRITE 8000
*/
AP_DECLARE(const char *) ap_auth_name(request_rec *r);
+/**
+ * How the requires lines must be met.
+ * @param r The current request
+ * @return How the requirements must be met. One of:
+ * <pre>
+ * SATISFY_ANY -- any of the requirements must be met.
+ * SATISFY_ALL -- all of the requirements must be met.
+ * SATISFY_NOSPEC -- There are no applicable satisfy lines
+ * </pre>
+ */
+AP_DECLARE(int) ap_satisfies(request_rec *r);
+
#ifdef CORE_PRIVATE
/**
/* ----------------------------------------------------------------------
*
- * authorization values with mod_authz_host
+ * authorization values with mod_authz_core
*/
APR_DECLARE_OPTIONAL_FN(int, authz_some_auth_required, (request_rec *r));
APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_type, (request_rec *r));
APR_DECLARE_OPTIONAL_FN(const char *, authn_ap_auth_name, (request_rec *r));
+/* ----------------------------------------------------------------------
+ *
+ * authorization values with mod_access_compat
+ */
+
+APR_DECLARE_OPTIONAL_FN(int, access_compat_ap_satisfies, (request_rec *r));
+
/* ---------------------------------------------------------------------- */
#ifdef __cplusplus
access_compat_dir_conf *d = (access_compat_dir_conf *) dv;
int i, o;
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, cmd->server,
- "The 'Order' directive has been deprecated. "
- "Consider using '<SatisfyAll><SatisfyOne>' directives.");
-
if (!strcasecmp(arg, "allow,deny"))
o = ALLOW_THEN_DENY;
else if (!strcasecmp(arg, "deny,allow"))
int satisfy = SATISFY_NOSPEC;
int i;
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, cmd->server,
- "The 'Satisfy' directive has been deprecated. "
- "Consider using '<SatisfyAll><SatisfyOne>' directives.");
-
if (!strcasecmp(arg, "all")) {
satisfy = SATISFY_ALL;
}
char msgbuf[120];
apr_status_t rv;
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, cmd->server,
- "The 'Allow/Deny' directives have been deprecated. "
- "Consider using one of the host providers in mod_authz_host.");
-
if (strcasecmp(from, "from"))
return "allow and deny must be followed by 'from'";
return 0;
}
-static int ap_satisfies(request_rec *r)
+static int access_compat_ap_satisfies(request_rec *r)
{
access_compat_dir_conf *conf = (access_compat_dir_conf *)
ap_get_module_config(r->per_dir_config, &access_compat_module);
}
else {
apr_table_setn(r->notes, AUTHZ_ACCESS_PASSED_NOTE, "N");
- /* If Satisfy is Any and authorization is required, then
+ /* If Satisfy is not Any and authorization is required, then
defer to the authorization stage */
- if ((ap_satisfies(r) == SATISFY_ANY) && ap_some_auth_required(r)) {
+ if ((access_compat_ap_satisfies(r) != SATISFY_ANY) && ap_some_auth_required(r)) {
ret = OK;
}
}
static void register_hooks(apr_pool_t *p)
{
- APR_REGISTER_OPTIONAL_FN(ap_satisfies);
+ APR_REGISTER_OPTIONAL_FN(access_compat_ap_satisfies);
/* This can be access checker since we don't require r->user to be set. */
ap_hook_access_checker(check_dir_access,NULL,NULL,APR_HOOK_MIDDLE);
#define AUTHN_PREFIX "AUTHENTICATE_"
/** all of the requirements must be met */
+#ifndef SATISFY_ALL
#define SATISFY_ALL 0
+#endif
/** any of the requirements must be met */
+#ifndef SATISFY_ANY
#define SATISFY_ANY 1
+#endif
/** There are no applicable satisfy lines */
+#ifndef SATISFY_NOSPEC
#define SATISFY_NOSPEC 2
-
-APR_DECLARE_OPTIONAL_FN(int, ap_satisfies, (request_rec *r));
-
-/* If your module uses ap_satisfies then you MUST add the line
- * below to your module for it to work correctly:
- * APR_OPTIONAL_FN_TYPE(ap_satisfies) *ap_satisfies;
- * and retrieve the optional function in the optional_fn_retrieve hook.
- * (See mod_authz_core.c for an example)
- */
+#endif
typedef enum {
AUTH_DENIED,
return auth_result;
}
-APR_OPTIONAL_FN_TYPE(ap_satisfies) *ap_satisfies;
-
static int authorize_user(request_rec *r)
{
authz_core_dir_conf *conf = ap_get_module_config(r->per_dir_config,
return req_authz;
}
-static void ImportAuthzCoreOptFn(void)
-{
- ap_satisfies = APR_RETRIEVE_OPTIONAL_FN(ap_satisfies);
-}
-
static void register_hooks(apr_pool_t *p)
{
APR_REGISTER_OPTIONAL_FN(authz_some_auth_required);
ap_hook_auth_checker(authorize_user, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_optional_fn_retrieve(ImportAuthzCoreOptFn,NULL,NULL,APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA authz_core_module =
module AP_MODULE_DECLARE_DATA authz_default_module;
-static APR_OPTIONAL_FN_TYPE(ap_satisfies) *ap_satisfies;
-
static int check_user_access(request_rec *r)
{
authz_default_config_rec *conf = ap_get_module_config(r->per_dir_config,
return HTTP_UNAUTHORIZED;
}
-static void ImportAuthzDefOptFn(void)
-{
- ap_satisfies = APR_RETRIEVE_OPTIONAL_FN(ap_satisfies);
-}
-
static void register_hooks(apr_pool_t *p)
{
ap_hook_auth_checker(check_user_access,NULL,NULL,APR_HOOK_LAST);
- ap_hook_optional_fn_retrieve(ImportAuthzDefOptFn,NULL,NULL,APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA authz_default_module =
}
/*
- * Optional function coming from mod_ident, used for looking up ident user
+ * Optional function coming from mod_authn_core, used for
+ * retrieving the type of autorization
*/
static APR_OPTIONAL_FN_TYPE(authn_ap_auth_type) *authn_ap_auth_type;
}
/*
- * Optional function coming from mod_ident, used for looking up ident user
+ * Optional function coming from mod_authn_core, used for
+ * retrieving the authorization realm
*/
static APR_OPTIONAL_FN_TYPE(authn_ap_auth_name) *authn_ap_auth_name;
return NULL;
}
+/*
+ * Optional function coming from mod_access_compat, used to determine how
+ access control interacts with authentication/authorization
+ */
+static APR_OPTIONAL_FN_TYPE(access_compat_ap_satisfies) *access_compat_ap_satisfies;
+
+AP_DECLARE(int) ap_satisfies(request_rec *r)
+{
+ if (access_compat_ap_satisfies) {
+ return access_compat_ap_satisfies(r);
+ }
+ return SATISFY_NOSPEC;
+}
+
AP_DECLARE(const char *) ap_default_type(request_rec *r)
{
core_dir_config *conf;
authz_ap_some_auth_required = APR_RETRIEVE_OPTIONAL_FN(authz_some_auth_required);
authn_ap_auth_type = APR_RETRIEVE_OPTIONAL_FN(authn_ap_auth_type);
authn_ap_auth_name = APR_RETRIEVE_OPTIONAL_FN(authn_ap_auth_name);
+ access_compat_ap_satisfies = APR_RETRIEVE_OPTIONAL_FN(access_compat_ap_satisfies);
set_banner(pconf);
ap_setup_make_content_type(pconf);
r->ap_auth_type = r->prev->ap_auth_type;
}
else {
- if ((access_status = ap_run_access_checker(r)) != OK) {
- return decl_die(access_status, "check access", r);
- }
+ switch (ap_satisfies(r)) {
+ case SATISFY_ALL:
+ case SATISFY_NOSPEC:
+ if ((access_status = ap_run_access_checker(r)) != OK) {
+ return decl_die(access_status, "check access", r);
+ }
- if ((access_status = ap_run_check_user_id(r)) != OK) {
- return decl_die(access_status, "check user", r);
- }
+ if ((access_status = ap_run_check_user_id(r)) != OK) {
+ return decl_die(access_status, "check user", r);
+ }
+
+ if ((access_status = ap_run_auth_checker(r)) != OK) {
+ return decl_die(access_status, "check authorization", r);
+ }
+ break;
+ case SATISFY_ANY:
+ if ((access_status = ap_run_access_checker(r)) != OK) {
- if ((access_status = ap_run_auth_checker(r)) != OK) {
- return decl_die(access_status, "check authorization", r);
+ if ((access_status = ap_run_check_user_id(r)) != OK) {
+ return decl_die(access_status, "check user", r);
+ }
+
+ if ((access_status = ap_run_auth_checker(r)) != OK) {
+ return decl_die(access_status, "check authorization", r);
+ }
+ }
+ break;
}
+
}
/* XXX Must make certain the ap_run_type_checker short circuits mime
* in mod-proxy for r->proxyreq && r->parsed_uri.scheme
projects / thirdparty / apache / httpd.git / commitdiff
