From: Chris Darroch Date: Fri, 31 Oct 2008 20:18:07 +0000 (+0000) Subject: Add AuthType of None to support disabling authentication. X-Git-Tag: 2.3.0~190 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=097b993e8ee55f8d832b6f2de1840ec7157e22b1;p=thirdparty%2Fapache%2Fhttpd.git Add AuthType of None to support disabling authentication. Prevent crash when provider alias created to provider which is not yet registered. Migrate remaining functionality of mod_authn_default to mod_authn_core. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@709553 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 1d1746d225c..22f9f1e9cd3 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.3.0 [ When backported to 2.2.x, remove entry from this file ] + *) mod_authn_core: Add AuthType of None to support disabling + authentication. [Chris Darroch] + *) core: Allow and directives to nest, and constrain their use to conform with that of other access control and authorization directives. [Chris Darroch] diff --git a/docs/manual/mod/mod_authn_core.xml b/docs/manual/mod/mod_authn_core.xml index ec43cd98fe8..a8e57db3bbb 100644 --- a/docs/manual/mod/mod_authn_core.xml +++ b/docs/manual/mod/mod_authn_core.xml @@ -123,22 +123,24 @@ authentication Authentication, Authorization, and Access Control +mod_authz_core AuthType Type of user authentication -AuthType Basic|Digest +AuthType None|Basic|Digest|Form directory.htaccess AuthConfig

This directive selects the type of user authentication for a - directory. The authentication types available are + directory. The authentication types available are None, Basic (implemented by - mod_auth_basic) and Digest - (implemented by mod_auth_digest).

+ mod_auth_basic), Digest + (implemented by mod_auth_digest), and + Form (implemented by mod_auth_form).

To implement authentication, you must also use the AuthName and server must have an authentication-provider module such as mod_authn_file and an authorization module such as mod_authz_user.

+ +

The authentication type None disables authentication. + When authentication is enabled, it is normally inherited by each + subsequent configuration section, + unless a different authentication type is specified. If no + authentication is desired for a subsection of an authenticated + section, the authentication type None may be used; + in the following example, clients may access the + /www/docs/public directory without authenticating:

+ + + <Directory /www/docs> + + AuthType Basic
+ AuthName Documents
+ AuthBasicProvider file
+ AuthUserFile /usr/local/apache/passwd/passwords
+ Require valid-user + + </Directory>
+
+ <Directory /www/docs/public> + + AuthType None
+ Require all granted + + </Directory> + + + When disabling authentication, note that clients which have + already authenticated against another portion of the server's document + tree will typically continue to send authentication HTTP headers + or cookies with each request, regardless of whether the server + actually requires authentication for every resource. Authentication, Authorization, diff --git a/modules/aaa/mod_authn_core.c b/modules/aaa/mod_authn_core.c index 22dfeccbb96..ff8a7e6d0b7 100644 --- a/modules/aaa/mod_authn_core.c +++ b/modules/aaa/mod_authn_core.c @@ -46,14 +46,15 @@ - Track down all of the references to r->ap_auth_type and change them to ap_auth_type() -- Remove ap_auth_type and ap_auth_name from the - request_rec +- Remove ap_auth_type and ap_auth_name from the + request_rec */ typedef struct { - char *ap_auth_type; - char *ap_auth_name; + const char *ap_auth_type; + int auth_type_set; + const char *ap_auth_name; } authn_core_dir_conf; typedef struct provider_alias_rec { @@ -82,19 +83,22 @@ static void *merge_authn_core_dir_config(apr_pool_t *a, void *basev, void *newv) { authn_core_dir_conf *base = (authn_core_dir_conf *)basev; authn_core_dir_conf *new = (authn_core_dir_conf *)newv; - authn_core_dir_conf *conf; - - /* Create this conf by duplicating the base, replacing elements - * (or creating copies for merging) where new-> values exist. - */ - conf = (authn_core_dir_conf *)apr_pmemdup(a, base, sizeof(authn_core_dir_conf)); + authn_core_dir_conf *conf = + (authn_core_dir_conf *)apr_pcalloc(a, sizeof(authn_core_dir_conf)); - if (new->ap_auth_type) { + if (new->auth_type_set) { conf->ap_auth_type = new->ap_auth_type; + conf->auth_type_set = 1; + } + else { + conf->ap_auth_type = base->ap_auth_type; + conf->auth_type_set = base->auth_type_set; } if (new->ap_auth_name) { conf->ap_auth_name = new->ap_auth_name; + } else { + conf->ap_auth_name = base->ap_auth_name; } return (void*)conf; @@ -189,11 +193,11 @@ static const authn_provider authn_alias_provider_nodigest = static const char *authaliassection(cmd_parms *cmd, void *mconfig, const char *arg) { - int old_overrides = cmd->override; const char *endp = ap_strrchr_c(arg, '>'); const char *args; char *provider_alias; char *provider_name; + int old_overrides = cmd->override; const char *errmsg; const authn_provider *provider = NULL; ap_conf_vector_t *new_auth_config = ap_create_per_dir_config(cmd->pool); @@ -228,7 +232,7 @@ static const char *authaliassection(cmd_parms *cmd, void *mconfig, const char *a } if (strcasecmp(provider_name, provider_alias) == 0) { - return apr_pstrcat(cmd->pool, + return apr_pstrcat(cmd->pool, "The alias provider name must be different from the base provider name.", NULL); } @@ -237,20 +241,29 @@ static const char *authaliassection(cmd_parms *cmd, void *mconfig, const char *a AUTHN_PROVIDER_VERSION); if (provider) { return apr_pstrcat(cmd->pool, "The alias provider ", provider_alias, - " has already be registered previously as either a base provider or an alias provider.", + " has already be registered previously as either a base provider or an alias provider.", NULL); } /* walk the subsection configuration to get the per_dir config that we will merge just before the real provider is called. */ - cmd->override = OR_ALL|ACCESS_CONF; + cmd->override = OR_AUTHCFG | ACCESS_CONF; errmsg = ap_walk_config(cmd->directive->first_child, cmd, new_auth_config); + cmd->override = old_overrides; if (!errmsg) { provider_alias_rec *prvdraliasrec = apr_pcalloc(cmd->pool, sizeof(provider_alias_rec)); provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP, provider_name, AUTHN_PROVIDER_VERSION); + if (!provider) { + /* by the time they use it, the provider should be loaded and + registered with us. */ + return apr_psprintf(cmd->pool, + "Unknown Authn provider: %s", + provider_name); + } + /* Save off the new directory config along with the original provider name and function pointer data */ prvdraliasrec->sec_auth = new_auth_config; @@ -268,8 +281,6 @@ static const char *authaliassection(cmd_parms *cmd, void *mconfig, const char *a AP_AUTH_INTERNAL_PER_CONF); } - cmd->override = old_overrides; - return errmsg; } @@ -286,6 +297,16 @@ static const char *set_authname(cmd_parms *cmd, void *mconfig, return NULL; } +static const char *set_authtype(cmd_parms *cmd, void *mconfig, + const char *word1) +{ + authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig; + + aconfig->auth_type_set = 1; + aconfig->ap_auth_type = strcasecmp(word1, "None") ? word1 : NULL; + + return NULL; +} static const char *authn_ap_auth_type(request_rec *r) { @@ -309,21 +330,41 @@ static const char *authn_ap_auth_name(request_rec *r) static const command_rec authn_cmds[] = { - AP_INIT_TAKE1("AuthType", ap_set_string_slot, - (void*)APR_OFFSETOF(authn_core_dir_conf, ap_auth_type), OR_AUTHCFG, - "An HTTP authorization type (e.g., \"Basic\")"), + AP_INIT_TAKE1("AuthType", set_authtype, NULL, OR_AUTHCFG, + "an HTTP authorization type (e.g., \"Basic\")"), AP_INIT_TAKE1("AuthName", set_authname, NULL, OR_AUTHCFG, - "The authentication realm (e.g. \"Members Only\")"), + "the authentication realm (e.g. \"Members Only\")"), AP_INIT_RAW_ARGS("