dnl keep the bad guys out.
APACHE_MODULE(authz_default, authorization control backstopper, , , yes)
+dnl - and just in case all of the above punt; a default handler to
+dnl keep the bad guys out.
+APACHE_MODULE(access_compat, mod_access compatibility, , , most)
+
dnl these are the front-end authentication modules
APACHE_MODULE(auth_basic, basic authentication, , , yes)
#define AUTHZ_GROUP_NOTE "authz_group_note"
#define AUTHN_PROVIDER_NAME_NOTE "authn_provider_name"
#define AUTHZ_PROVIDER_NAME_NOTE "authz_provider_name"
+#define AUTHZ_ACCESS_PASSED_NOTE "authz_access_passed"
+
+/** all of the requirements must be met */
+#define SATISFY_ALL 0
+/** any of the requirements must be met */
+#define SATISFY_ANY 1
+/** There are no applicable satisfy lines */
+#define SATISFY_NOSPEC 2
+
+APR_DECLARE_OPTIONAL_FN(int, ap_satisfies, (request_rec *r));
typedef enum {
AUTH_DENIED,
authz_provider_list *providers;
authz_request_state req_state;
int req_state_level;
+// int some_authz;
+// char *path;
} authz_core_dir_conf;
typedef struct authz_core_srv_conf {
conf->req_state = AUTHZ_REQSTATE_ONE;
conf->req_state_level = 0;
+// conf->some_authz = -1;
return (void *)conf;
}
* (or creating copies for merging) where new-> values exist.
*/
conf = (authz_core_dir_conf *)apr_palloc(a, sizeof(authz_core_dir_conf));
- memcpy(conf, base, sizeof(authz_core_dir_conf));
+ memcpy(conf, new, sizeof(authz_core_dir_conf));
+
+ conf->some_authz = base->some_authz == -1 ? 0:base->some_authz == 0 ? 0:new->some_authz;
return (void*)conf;
}
authz_provider_list *newp;
const char *t, *w;
+// conf->some_authz = 1;
+// conf->path = apr_pstrdup(cmd->pool, cmd->path);
+
newp = apr_pcalloc(cmd->pool, sizeof(authz_provider_list));
t = arg;
return auth_result;
}
+APR_OPTIONAL_FN_TYPE(ap_satisfies) *ap_satisfies;
+
static int authorize_user(request_rec *r)
{
authz_core_dir_conf *conf = ap_get_module_config(r->per_dir_config,
&authz_core_module);
authz_status auth_result;
authz_provider_list *current_provider;
+ const char *note = apr_table_get(r->notes, AUTHZ_ACCESS_PASSED_NOTE);
+
+ ap_satisfies = APR_RETRIEVE_OPTIONAL_FN(ap_satisfies);
/* If we're not really configured for providers, stop now. */
if (!conf->providers) {
switch (auth_result) {
case AUTHZ_DENIED:
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "user %s: authorization failure for \"%s\": ",
- r->user, r->uri);
- return_code = HTTP_UNAUTHORIZED;
+ /* XXX If the deprecated Satisfy directive is set to Any and
+ authorization as denied, then check to see what
+ the access control stage said. Just the if statement
+ should be removed in 3.0 when the Satisfy directive
+ goes away. */
+// if (!note || ((note[0] == 'N') && (ap_satisfies(r) != SATISFY_ANY))) {
+ if (!note || (ap_satisfies(r) != SATISFY_ANY) || (note[0] == 'N')) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "user %s: authorization failure for \"%s\": ",
+ r->user, r->uri);
+ return_code = HTTP_UNAUTHORIZED;
+ }
+ else {
+ return_code = DECLINED;
+ }
break;
case AUTHZ_GENERAL_ERROR:
default:
#include "http_protocol.h"
#include "http_request.h"
+#include "mod_auth.h"
+
+
typedef struct {
int authoritative;
} authz_default_config_rec;
module AP_MODULE_DECLARE_DATA authz_default_module;
+APR_OPTIONAL_FN_TYPE(ap_satisfies) *ap_satisfies;
+
static int check_user_access(request_rec *r)
{
authz_default_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_default_module);
+ const char *note = apr_table_get(r->notes, AUTHZ_ACCESS_PASSED_NOTE);
+
+ ap_satisfies = APR_RETRIEVE_OPTIONAL_FN(ap_satisfies);
+
+ /* If we got here and there isn't any authz required and there is no
+ note from the access checker that it failed, assume access is OK */
+ if (!ap_some_auth_required(r) ||
+ (note && (note[0] == 'Y') && (ap_satisfies(r) == SATISFY_ANY))) {
+ return OK;
+ }
if (!(conf->authoritative)) {
return DECLINED;
projects / thirdparty / apache / httpd.git / commitdiff
