From: Stefan Fritsch <sf@apache.org>
Date: Sun, 19 Sep 2010 18:09:18 +0000 (+0000)
Subject: Add method authz provider as potential Limit/LimitExcept replacement.
X-Git-Tag: 2.3.9~481
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=39e871f7e476619e9cc9c2559a92c20a880da785;p=thirdparty%2Fapache%2Fhttpd.git

Add method authz provider as potential Limit/LimitExcept replacement.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@998708 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_authz_host.xml b/docs/manual/mod/mod_authz_host.xml
index 40e1212c92a..1685baceed4 100644
--- a/docs/manual/mod/mod_authz_host.xml
+++ b/docs/manual/mod/mod_authz_host.xml
@@ -202,6 +202,33 @@ address)</description>
 
 </section>
 
+<section id="reqmethod"><title>Require method</title>
+
+    <p>The <code>method</code> provider allows to use the HTTP method in
+    authorization decisions. The GET and HEAD methods are treated as
+    equivalent. The TRACE method is not available to this provider,
+    use <directive module="core">TraceEnable</directive> instead.</p>
+
+    <p>The following examples will only allow GET, HEAD, POST, and OPTIONS
+    requests:</p>
+
+    <example>
+        Require method GET POST OPTIONS<br />
+    </example>
+
+    <p>The following examples will allow GET, HEAD, POST, and OPTIONS
+    requests without authentication, and require a valid user for all other
+    methods:</p>
+
+    <example>
+        &lt;RequireAny&gt;<br />
+        Require method GET POST OPTIONS<br />
+        Require valid-user<br />
+        &lt;/RequireAny&gt;<br />
+    </example>
+
+</section>
+
 
 </section>
 
diff --git a/modules/aaa/mod_authz_host.c b/modules/aaa/mod_authz_host.c
index a56d7738c4f..b9d99d0afc7 100644
--- a/modules/aaa/mod_authz_host.c
+++ b/modules/aaa/mod_authz_host.c
@@ -244,6 +244,38 @@ static const char *all_parse_config(cmd_parms *cmd, const char *require_line,
     }
 }
 
+static authz_status method_check_authorization(request_rec *r,
+                                               const char *require_line,
+                                               const void *parsed_require_line)
+{
+    const apr_int64_t *allowed = parsed_require_line;
+    if (*allowed & (AP_METHOD_BIT << r->method_number))
+        return AUTHZ_GRANTED;
+    else
+        return AUTHZ_DENIED;
+}
+
+static const char *method_parse_config(cmd_parms *cmd, const char *require_line,
+                                       const void **parsed_require_line)
+{
+    const char *w, *t;
+    apr_int64_t *allowed = apr_pcalloc(cmd->pool, sizeof(apr_int64_t));
+
+    t = require_line;
+
+    while ((w = ap_getword_conf(cmd->temp_pool, &t)) && w[0]) {
+        int m = ap_method_number_of(w);
+        if (m == M_INVALID) {
+            return apr_pstrcat(cmd->pool, "Invalid Method '", w, "'", NULL);
+        }
+
+        *allowed |= (AP_METHOD_BIT << m);
+    }
+
+    *parsed_require_line = allowed;
+    return NULL;
+}
+
 static const authz_provider authz_env_provider =
 {
     &env_check_authorization,
@@ -268,6 +300,12 @@ static const authz_provider authz_all_provider =
     &all_parse_config,
 };
 
+static const authz_provider authz_method_provider =
+{
+    &method_check_authorization,
+    &method_parse_config,
+};
+
 static void register_hooks(apr_pool_t *p)
 {
     ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "env",
@@ -282,6 +320,9 @@ static void register_hooks(apr_pool_t *p)
     ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "all",
                               AUTHZ_PROVIDER_VERSION,
                               &authz_all_provider, AP_AUTH_INTERNAL_PER_CONF);
+    ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "method",
+                              AUTHZ_PROVIDER_VERSION,
+                              &authz_method_provider, AP_AUTH_INTERNAL_PER_CONF);
 }
 
 AP_DECLARE_MODULE(authz_host) =