Backport r574021

author Nick Kew <niq@apache.org>

Sat, 22 Sep 2007 00:30:23 +0000 (00:30 +0000)

committer Nick Kew <niq@apache.org>

Sat, 22 Sep 2007 00:30:23 +0000 (00:30 +0000)
author Nick Kew <niq@apache.org>
Sat, 22 Sep 2007 00:30:23 +0000 (00:30 +0000)
committer Nick Kew <niq@apache.org>
Sat, 22 Sep 2007 00:30:23 +0000 (00:30 +0000)
diff --git a/CHANGES b/CHANGES

index 1d8ac6885f03585b26a5406815edf1548250c6d3..a9b8b0631f6c605e874c1a97bc2c80067aa4d4c5 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
  Changes with Apache 2.2.7
  
+  *) mod_proxy_http: Propagate Proxy-Authorization header correctly.
+     PR 25947 [Nick Kew]
+
    *) mod_proxy_ajp: Differentiate within AJP between GET and HEAD
       requests. PR 43060 [Jim Jagielski]
  
@@ -343,7 +346,7 @@ Changes with Apache 2.2.4
  
    *) mod_cgi and mod_cgid: Don't use apr_status_t error return
       from input filters as HTTP return value from the handler.
-     PR 31579.  [Nick Kew]
+     PR 31759.  [Nick Kew]
  
    *) mod_cache: Eliminate a bogus error in the log when a filter returns
       AP_FILTER_ERROR.  [Niklas Edmundsson <nikke acc.umu.se>]
diff --git a/STATUS b/STATUS

index 5d50215cc95db0d141ecde64c331bb6248a1e867..dc84ac5713871cbe7e0bc796e36ee57c97a9ca3b 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -79,13 +79,6 @@ RELEASE SHOWSTOPPERS:
  PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
    [ start all new proposals below, under PATCHES PROPOSED. ]
  
-    * mod_proxy_http: Propagate Proxy-Authorization header correctly.
-      PR 25947
-      http://svn.apache.org/viewvc?view=rev&revision=574021
-      +1: niq, jfclere.
-      rpluem says: +1 in general, but please remove the tabs from your
-      patch and in trunk.
-
  PATCHES PROPOSED TO BACKPORT FROM TRUNK:
    [ New proposals should be added at the end of the list ]
  
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c

index 534cbb5d43dbcf1341050013e3a6abd9390f4d83..9617be8c3b0d56ad088b21ba423d32ff0560281c 100644 (file)
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -755,19 +755,21 @@ apr_status_t ap_proxy_http_request(apr_pool_t *p, request_rec *r,
               || !strcasecmp(headers_in[counter].key, "Trailer")
               || !strcasecmp(headers_in[counter].key, "Upgrade")
  
-            /* XXX: @@@ FIXME: "Proxy-Authorization" should *only* be
-             * suppressed if THIS server requested the authentication,
-             * not when a frontend proxy requested it!
-             *
-             * The solution to this problem is probably to strip out
-             * the Proxy-Authorisation header in the authorisation
-             * code itself, not here. This saves us having to signal
-             * somehow whether this request was authenticated or not.
-             */
-             || !strcasecmp(headers_in[counter].key,"Proxy-Authorization")
-             || !strcasecmp(headers_in[counter].key,"Proxy-Authenticate")) {
+             ) {
              continue;
          }
+        /* Do we want to strip Proxy-Authorization ?
+         * If we haven't used it, then NO
+         * If we have used it then MAYBE: RFC2616 says we MAY propagate it.
+         * So let's make it configurable by env.
+         */
+        if (!strcasecmp(headers_in[counter].key,"Proxy-Authorization")) {
+            if (r->user != NULL) { /* we've authenticated */
+                if (!apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) {
+                    continue;
+                }
+            }
+        }
  
          /* Skip Transfer-Encoding and Content-Length for now.
           */
author	Nick Kew <niq@apache.org>
	Sat, 22 Sep 2007 00:30:23 +0000 (00:30 +0000)
committer	Nick Kew <niq@apache.org>
	Sat, 22 Sep 2007 00:30:23 +0000 (00:30 +0000)
CHANGES		patch \| blob \| blame \| history
STATUS		patch \| blob \| blame \| history
modules/proxy/mod_proxy_http.c		patch \| blob \| blame \| history